1/*-
2 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
3 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
4 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * a) Redistributions of source code must retain the above copyright notice,
10 *    this list of conditions and the following disclaimer.
11 *
12 * b) Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in
14 *    the documentation and/or other materials provided with the distribution.
15 *
16 * c) Neither the name of Cisco Systems, Inc. nor the names of its
17 *    contributors may be used to endorse or promote products derived
18 *    from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30 * THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33#ifdef __FreeBSD__
34#include <sys/cdefs.h>
35__FBSDID("$FreeBSD: head/sys/netinet/sctp_output.c 271230 2014-09-07 18:05:37Z tuexen $");
36#endif
37
38#include <netinet/sctp_os.h>
39#ifdef __FreeBSD__
40#include <sys/proc.h>
41#endif
42#include <netinet/sctp_var.h>
43#include <netinet/sctp_sysctl.h>
44#include <netinet/sctp_header.h>
45#include <netinet/sctp_pcb.h>
46#include <netinet/sctputil.h>
47#include <netinet/sctp_output.h>
48#include <netinet/sctp_uio.h>
49#include <netinet/sctputil.h>
50#include <netinet/sctp_auth.h>
51#include <netinet/sctp_timer.h>
52#include <netinet/sctp_asconf.h>
53#include <netinet/sctp_indata.h>
54#include <netinet/sctp_bsd_addr.h>
55#include <netinet/sctp_input.h>
56#include <netinet/sctp_crc32.h>
57#if defined(__Userspace_os_Linux)
58#define __FAVOR_BSD    /* (on Ubuntu at least) enables UDP header field names like BSD in RFC 768 */
59#endif
60#if defined(INET) || defined(INET6)
61#if !defined(__Userspace_os_Windows)
62#include <netinet/udp.h>
63#endif
64#endif
65#if defined(__APPLE__)
66#include <netinet/in.h>
67#endif
68#if defined(__FreeBSD__)
69#if defined(__FreeBSD__) && __FreeBSD_version >= 800000
70#include <netinet/udp_var.h>
71#endif
72#include <machine/in_cksum.h>
73#endif
74#if defined(__Userspace__) && defined(INET6)
75#include <netinet6/sctp6_var.h>
76#endif
77
78#if defined(__APPLE__)
79#define APPLE_FILE_NO 3
80#endif
81
82#if defined(__APPLE__)
83#if !(defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD))
84#define SCTP_MAX_LINKHDR 16
85#endif
86#endif
87
88#define SCTP_MAX_GAPS_INARRAY 4
89struct sack_track {
90	uint8_t right_edge;	/* mergable on the right edge */
91	uint8_t left_edge;	/* mergable on the left edge */
92	uint8_t num_entries;
93	uint8_t spare;
94	struct sctp_gap_ack_block gaps[SCTP_MAX_GAPS_INARRAY];
95};
96
97struct sack_track sack_array[256] = {
98	{0, 0, 0, 0,		/* 0x00 */
99		{{0, 0},
100		{0, 0},
101		{0, 0},
102		{0, 0}
103		}
104	},
105	{1, 0, 1, 0,		/* 0x01 */
106		{{0, 0},
107		{0, 0},
108		{0, 0},
109		{0, 0}
110		}
111	},
112	{0, 0, 1, 0,		/* 0x02 */
113		{{1, 1},
114		{0, 0},
115		{0, 0},
116		{0, 0}
117		}
118	},
119	{1, 0, 1, 0,		/* 0x03 */
120		{{0, 1},
121		{0, 0},
122		{0, 0},
123		{0, 0}
124		}
125	},
126	{0, 0, 1, 0,		/* 0x04 */
127		{{2, 2},
128		{0, 0},
129		{0, 0},
130		{0, 0}
131		}
132	},
133	{1, 0, 2, 0,		/* 0x05 */
134		{{0, 0},
135		{2, 2},
136		{0, 0},
137		{0, 0}
138		}
139	},
140	{0, 0, 1, 0,		/* 0x06 */
141		{{1, 2},
142		{0, 0},
143		{0, 0},
144		{0, 0}
145		}
146	},
147	{1, 0, 1, 0,		/* 0x07 */
148		{{0, 2},
149		{0, 0},
150		{0, 0},
151		{0, 0}
152		}
153	},
154	{0, 0, 1, 0,		/* 0x08 */
155		{{3, 3},
156		{0, 0},
157		{0, 0},
158		{0, 0}
159		}
160	},
161	{1, 0, 2, 0,		/* 0x09 */
162		{{0, 0},
163		{3, 3},
164		{0, 0},
165		{0, 0}
166		}
167	},
168	{0, 0, 2, 0,		/* 0x0a */
169		{{1, 1},
170		{3, 3},
171		{0, 0},
172		{0, 0}
173		}
174	},
175	{1, 0, 2, 0,		/* 0x0b */
176		{{0, 1},
177		{3, 3},
178		{0, 0},
179		{0, 0}
180		}
181	},
182	{0, 0, 1, 0,		/* 0x0c */
183		{{2, 3},
184		{0, 0},
185		{0, 0},
186		{0, 0}
187		}
188	},
189	{1, 0, 2, 0,		/* 0x0d */
190		{{0, 0},
191		{2, 3},
192		{0, 0},
193		{0, 0}
194		}
195	},
196	{0, 0, 1, 0,		/* 0x0e */
197		{{1, 3},
198		{0, 0},
199		{0, 0},
200		{0, 0}
201		}
202	},
203	{1, 0, 1, 0,		/* 0x0f */
204		{{0, 3},
205		{0, 0},
206		{0, 0},
207		{0, 0}
208		}
209	},
210	{0, 0, 1, 0,		/* 0x10 */
211		{{4, 4},
212		{0, 0},
213		{0, 0},
214		{0, 0}
215		}
216	},
217	{1, 0, 2, 0,		/* 0x11 */
218		{{0, 0},
219		{4, 4},
220		{0, 0},
221		{0, 0}
222		}
223	},
224	{0, 0, 2, 0,		/* 0x12 */
225		{{1, 1},
226		{4, 4},
227		{0, 0},
228		{0, 0}
229		}
230	},
231	{1, 0, 2, 0,		/* 0x13 */
232		{{0, 1},
233		{4, 4},
234		{0, 0},
235		{0, 0}
236		}
237	},
238	{0, 0, 2, 0,		/* 0x14 */
239		{{2, 2},
240		{4, 4},
241		{0, 0},
242		{0, 0}
243		}
244	},
245	{1, 0, 3, 0,		/* 0x15 */
246		{{0, 0},
247		{2, 2},
248		{4, 4},
249		{0, 0}
250		}
251	},
252	{0, 0, 2, 0,		/* 0x16 */
253		{{1, 2},
254		{4, 4},
255		{0, 0},
256		{0, 0}
257		}
258	},
259	{1, 0, 2, 0,		/* 0x17 */
260		{{0, 2},
261		{4, 4},
262		{0, 0},
263		{0, 0}
264		}
265	},
266	{0, 0, 1, 0,		/* 0x18 */
267		{{3, 4},
268		{0, 0},
269		{0, 0},
270		{0, 0}
271		}
272	},
273	{1, 0, 2, 0,		/* 0x19 */
274		{{0, 0},
275		{3, 4},
276		{0, 0},
277		{0, 0}
278		}
279	},
280	{0, 0, 2, 0,		/* 0x1a */
281		{{1, 1},
282		{3, 4},
283		{0, 0},
284		{0, 0}
285		}
286	},
287	{1, 0, 2, 0,		/* 0x1b */
288		{{0, 1},
289		{3, 4},
290		{0, 0},
291		{0, 0}
292		}
293	},
294	{0, 0, 1, 0,		/* 0x1c */
295		{{2, 4},
296		{0, 0},
297		{0, 0},
298		{0, 0}
299		}
300	},
301	{1, 0, 2, 0,		/* 0x1d */
302		{{0, 0},
303		{2, 4},
304		{0, 0},
305		{0, 0}
306		}
307	},
308	{0, 0, 1, 0,		/* 0x1e */
309		{{1, 4},
310		{0, 0},
311		{0, 0},
312		{0, 0}
313		}
314	},
315	{1, 0, 1, 0,		/* 0x1f */
316		{{0, 4},
317		{0, 0},
318		{0, 0},
319		{0, 0}
320		}
321	},
322	{0, 0, 1, 0,		/* 0x20 */
323		{{5, 5},
324		{0, 0},
325		{0, 0},
326		{0, 0}
327		}
328	},
329	{1, 0, 2, 0,		/* 0x21 */
330		{{0, 0},
331		{5, 5},
332		{0, 0},
333		{0, 0}
334		}
335	},
336	{0, 0, 2, 0,		/* 0x22 */
337		{{1, 1},
338		{5, 5},
339		{0, 0},
340		{0, 0}
341		}
342	},
343	{1, 0, 2, 0,		/* 0x23 */
344		{{0, 1},
345		{5, 5},
346		{0, 0},
347		{0, 0}
348		}
349	},
350	{0, 0, 2, 0,		/* 0x24 */
351		{{2, 2},
352		{5, 5},
353		{0, 0},
354		{0, 0}
355		}
356	},
357	{1, 0, 3, 0,		/* 0x25 */
358		{{0, 0},
359		{2, 2},
360		{5, 5},
361		{0, 0}
362		}
363	},
364	{0, 0, 2, 0,		/* 0x26 */
365		{{1, 2},
366		{5, 5},
367		{0, 0},
368		{0, 0}
369		}
370	},
371	{1, 0, 2, 0,		/* 0x27 */
372		{{0, 2},
373		{5, 5},
374		{0, 0},
375		{0, 0}
376		}
377	},
378	{0, 0, 2, 0,		/* 0x28 */
379		{{3, 3},
380		{5, 5},
381		{0, 0},
382		{0, 0}
383		}
384	},
385	{1, 0, 3, 0,		/* 0x29 */
386		{{0, 0},
387		{3, 3},
388		{5, 5},
389		{0, 0}
390		}
391	},
392	{0, 0, 3, 0,		/* 0x2a */
393		{{1, 1},
394		{3, 3},
395		{5, 5},
396		{0, 0}
397		}
398	},
399	{1, 0, 3, 0,		/* 0x2b */
400		{{0, 1},
401		{3, 3},
402		{5, 5},
403		{0, 0}
404		}
405	},
406	{0, 0, 2, 0,		/* 0x2c */
407		{{2, 3},
408		{5, 5},
409		{0, 0},
410		{0, 0}
411		}
412	},
413	{1, 0, 3, 0,		/* 0x2d */
414		{{0, 0},
415		{2, 3},
416		{5, 5},
417		{0, 0}
418		}
419	},
420	{0, 0, 2, 0,		/* 0x2e */
421		{{1, 3},
422		{5, 5},
423		{0, 0},
424		{0, 0}
425		}
426	},
427	{1, 0, 2, 0,		/* 0x2f */
428		{{0, 3},
429		{5, 5},
430		{0, 0},
431		{0, 0}
432		}
433	},
434	{0, 0, 1, 0,		/* 0x30 */
435		{{4, 5},
436		{0, 0},
437		{0, 0},
438		{0, 0}
439		}
440	},
441	{1, 0, 2, 0,		/* 0x31 */
442		{{0, 0},
443		{4, 5},
444		{0, 0},
445		{0, 0}
446		}
447	},
448	{0, 0, 2, 0,		/* 0x32 */
449		{{1, 1},
450		{4, 5},
451		{0, 0},
452		{0, 0}
453		}
454	},
455	{1, 0, 2, 0,		/* 0x33 */
456		{{0, 1},
457		{4, 5},
458		{0, 0},
459		{0, 0}
460		}
461	},
462	{0, 0, 2, 0,		/* 0x34 */
463		{{2, 2},
464		{4, 5},
465		{0, 0},
466		{0, 0}
467		}
468	},
469	{1, 0, 3, 0,		/* 0x35 */
470		{{0, 0},
471		{2, 2},
472		{4, 5},
473		{0, 0}
474		}
475	},
476	{0, 0, 2, 0,		/* 0x36 */
477		{{1, 2},
478		{4, 5},
479		{0, 0},
480		{0, 0}
481		}
482	},
483	{1, 0, 2, 0,		/* 0x37 */
484		{{0, 2},
485		{4, 5},
486		{0, 0},
487		{0, 0}
488		}
489	},
490	{0, 0, 1, 0,		/* 0x38 */
491		{{3, 5},
492		{0, 0},
493		{0, 0},
494		{0, 0}
495		}
496	},
497	{1, 0, 2, 0,		/* 0x39 */
498		{{0, 0},
499		{3, 5},
500		{0, 0},
501		{0, 0}
502		}
503	},
504	{0, 0, 2, 0,		/* 0x3a */
505		{{1, 1},
506		{3, 5},
507		{0, 0},
508		{0, 0}
509		}
510	},
511	{1, 0, 2, 0,		/* 0x3b */
512		{{0, 1},
513		{3, 5},
514		{0, 0},
515		{0, 0}
516		}
517	},
518	{0, 0, 1, 0,		/* 0x3c */
519		{{2, 5},
520		{0, 0},
521		{0, 0},
522		{0, 0}
523		}
524	},
525	{1, 0, 2, 0,		/* 0x3d */
526		{{0, 0},
527		{2, 5},
528		{0, 0},
529		{0, 0}
530		}
531	},
532	{0, 0, 1, 0,		/* 0x3e */
533		{{1, 5},
534		{0, 0},
535		{0, 0},
536		{0, 0}
537		}
538	},
539	{1, 0, 1, 0,		/* 0x3f */
540		{{0, 5},
541		{0, 0},
542		{0, 0},
543		{0, 0}
544		}
545	},
546	{0, 0, 1, 0,		/* 0x40 */
547		{{6, 6},
548		{0, 0},
549		{0, 0},
550		{0, 0}
551		}
552	},
553	{1, 0, 2, 0,		/* 0x41 */
554		{{0, 0},
555		{6, 6},
556		{0, 0},
557		{0, 0}
558		}
559	},
560	{0, 0, 2, 0,		/* 0x42 */
561		{{1, 1},
562		{6, 6},
563		{0, 0},
564		{0, 0}
565		}
566	},
567	{1, 0, 2, 0,		/* 0x43 */
568		{{0, 1},
569		{6, 6},
570		{0, 0},
571		{0, 0}
572		}
573	},
574	{0, 0, 2, 0,		/* 0x44 */
575		{{2, 2},
576		{6, 6},
577		{0, 0},
578		{0, 0}
579		}
580	},
581	{1, 0, 3, 0,		/* 0x45 */
582		{{0, 0},
583		{2, 2},
584		{6, 6},
585		{0, 0}
586		}
587	},
588	{0, 0, 2, 0,		/* 0x46 */
589		{{1, 2},
590		{6, 6},
591		{0, 0},
592		{0, 0}
593		}
594	},
595	{1, 0, 2, 0,		/* 0x47 */
596		{{0, 2},
597		{6, 6},
598		{0, 0},
599		{0, 0}
600		}
601	},
602	{0, 0, 2, 0,		/* 0x48 */
603		{{3, 3},
604		{6, 6},
605		{0, 0},
606		{0, 0}
607		}
608	},
609	{1, 0, 3, 0,		/* 0x49 */
610		{{0, 0},
611		{3, 3},
612		{6, 6},
613		{0, 0}
614		}
615	},
616	{0, 0, 3, 0,		/* 0x4a */
617		{{1, 1},
618		{3, 3},
619		{6, 6},
620		{0, 0}
621		}
622	},
623	{1, 0, 3, 0,		/* 0x4b */
624		{{0, 1},
625		{3, 3},
626		{6, 6},
627		{0, 0}
628		}
629	},
630	{0, 0, 2, 0,		/* 0x4c */
631		{{2, 3},
632		{6, 6},
633		{0, 0},
634		{0, 0}
635		}
636	},
637	{1, 0, 3, 0,		/* 0x4d */
638		{{0, 0},
639		{2, 3},
640		{6, 6},
641		{0, 0}
642		}
643	},
644	{0, 0, 2, 0,		/* 0x4e */
645		{{1, 3},
646		{6, 6},
647		{0, 0},
648		{0, 0}
649		}
650	},
651	{1, 0, 2, 0,		/* 0x4f */
652		{{0, 3},
653		{6, 6},
654		{0, 0},
655		{0, 0}
656		}
657	},
658	{0, 0, 2, 0,		/* 0x50 */
659		{{4, 4},
660		{6, 6},
661		{0, 0},
662		{0, 0}
663		}
664	},
665	{1, 0, 3, 0,		/* 0x51 */
666		{{0, 0},
667		{4, 4},
668		{6, 6},
669		{0, 0}
670		}
671	},
672	{0, 0, 3, 0,		/* 0x52 */
673		{{1, 1},
674		{4, 4},
675		{6, 6},
676		{0, 0}
677		}
678	},
679	{1, 0, 3, 0,		/* 0x53 */
680		{{0, 1},
681		{4, 4},
682		{6, 6},
683		{0, 0}
684		}
685	},
686	{0, 0, 3, 0,		/* 0x54 */
687		{{2, 2},
688		{4, 4},
689		{6, 6},
690		{0, 0}
691		}
692	},
693	{1, 0, 4, 0,		/* 0x55 */
694		{{0, 0},
695		{2, 2},
696		{4, 4},
697		{6, 6}
698		}
699	},
700	{0, 0, 3, 0,		/* 0x56 */
701		{{1, 2},
702		{4, 4},
703		{6, 6},
704		{0, 0}
705		}
706	},
707	{1, 0, 3, 0,		/* 0x57 */
708		{{0, 2},
709		{4, 4},
710		{6, 6},
711		{0, 0}
712		}
713	},
714	{0, 0, 2, 0,		/* 0x58 */
715		{{3, 4},
716		{6, 6},
717		{0, 0},
718		{0, 0}
719		}
720	},
721	{1, 0, 3, 0,		/* 0x59 */
722		{{0, 0},
723		{3, 4},
724		{6, 6},
725		{0, 0}
726		}
727	},
728	{0, 0, 3, 0,		/* 0x5a */
729		{{1, 1},
730		{3, 4},
731		{6, 6},
732		{0, 0}
733		}
734	},
735	{1, 0, 3, 0,		/* 0x5b */
736		{{0, 1},
737		{3, 4},
738		{6, 6},
739		{0, 0}
740		}
741	},
742	{0, 0, 2, 0,		/* 0x5c */
743		{{2, 4},
744		{6, 6},
745		{0, 0},
746		{0, 0}
747		}
748	},
749	{1, 0, 3, 0,		/* 0x5d */
750		{{0, 0},
751		{2, 4},
752		{6, 6},
753		{0, 0}
754		}
755	},
756	{0, 0, 2, 0,		/* 0x5e */
757		{{1, 4},
758		{6, 6},
759		{0, 0},
760		{0, 0}
761		}
762	},
763	{1, 0, 2, 0,		/* 0x5f */
764		{{0, 4},
765		{6, 6},
766		{0, 0},
767		{0, 0}
768		}
769	},
770	{0, 0, 1, 0,		/* 0x60 */
771		{{5, 6},
772		{0, 0},
773		{0, 0},
774		{0, 0}
775		}
776	},
777	{1, 0, 2, 0,		/* 0x61 */
778		{{0, 0},
779		{5, 6},
780		{0, 0},
781		{0, 0}
782		}
783	},
784	{0, 0, 2, 0,		/* 0x62 */
785		{{1, 1},
786		{5, 6},
787		{0, 0},
788		{0, 0}
789		}
790	},
791	{1, 0, 2, 0,		/* 0x63 */
792		{{0, 1},
793		{5, 6},
794		{0, 0},
795		{0, 0}
796		}
797	},
798	{0, 0, 2, 0,		/* 0x64 */
799		{{2, 2},
800		{5, 6},
801		{0, 0},
802		{0, 0}
803		}
804	},
805	{1, 0, 3, 0,		/* 0x65 */
806		{{0, 0},
807		{2, 2},
808		{5, 6},
809		{0, 0}
810		}
811	},
812	{0, 0, 2, 0,		/* 0x66 */
813		{{1, 2},
814		{5, 6},
815		{0, 0},
816		{0, 0}
817		}
818	},
819	{1, 0, 2, 0,		/* 0x67 */
820		{{0, 2},
821		{5, 6},
822		{0, 0},
823		{0, 0}
824		}
825	},
826	{0, 0, 2, 0,		/* 0x68 */
827		{{3, 3},
828		{5, 6},
829		{0, 0},
830		{0, 0}
831		}
832	},
833	{1, 0, 3, 0,		/* 0x69 */
834		{{0, 0},
835		{3, 3},
836		{5, 6},
837		{0, 0}
838		}
839	},
840	{0, 0, 3, 0,		/* 0x6a */
841		{{1, 1},
842		{3, 3},
843		{5, 6},
844		{0, 0}
845		}
846	},
847	{1, 0, 3, 0,		/* 0x6b */
848		{{0, 1},
849		{3, 3},
850		{5, 6},
851		{0, 0}
852		}
853	},
854	{0, 0, 2, 0,		/* 0x6c */
855		{{2, 3},
856		{5, 6},
857		{0, 0},
858		{0, 0}
859		}
860	},
861	{1, 0, 3, 0,		/* 0x6d */
862		{{0, 0},
863		{2, 3},
864		{5, 6},
865		{0, 0}
866		}
867	},
868	{0, 0, 2, 0,		/* 0x6e */
869		{{1, 3},
870		{5, 6},
871		{0, 0},
872		{0, 0}
873		}
874	},
875	{1, 0, 2, 0,		/* 0x6f */
876		{{0, 3},
877		{5, 6},
878		{0, 0},
879		{0, 0}
880		}
881	},
882	{0, 0, 1, 0,		/* 0x70 */
883		{{4, 6},
884		{0, 0},
885		{0, 0},
886		{0, 0}
887		}
888	},
889	{1, 0, 2, 0,		/* 0x71 */
890		{{0, 0},
891		{4, 6},
892		{0, 0},
893		{0, 0}
894		}
895	},
896	{0, 0, 2, 0,		/* 0x72 */
897		{{1, 1},
898		{4, 6},
899		{0, 0},
900		{0, 0}
901		}
902	},
903	{1, 0, 2, 0,		/* 0x73 */
904		{{0, 1},
905		{4, 6},
906		{0, 0},
907		{0, 0}
908		}
909	},
910	{0, 0, 2, 0,		/* 0x74 */
911		{{2, 2},
912		{4, 6},
913		{0, 0},
914		{0, 0}
915		}
916	},
917	{1, 0, 3, 0,		/* 0x75 */
918		{{0, 0},
919		{2, 2},
920		{4, 6},
921		{0, 0}
922		}
923	},
924	{0, 0, 2, 0,		/* 0x76 */
925		{{1, 2},
926		{4, 6},
927		{0, 0},
928		{0, 0}
929		}
930	},
931	{1, 0, 2, 0,		/* 0x77 */
932		{{0, 2},
933		{4, 6},
934		{0, 0},
935		{0, 0}
936		}
937	},
938	{0, 0, 1, 0,		/* 0x78 */
939		{{3, 6},
940		{0, 0},
941		{0, 0},
942		{0, 0}
943		}
944	},
945	{1, 0, 2, 0,		/* 0x79 */
946		{{0, 0},
947		{3, 6},
948		{0, 0},
949		{0, 0}
950		}
951	},
952	{0, 0, 2, 0,		/* 0x7a */
953		{{1, 1},
954		{3, 6},
955		{0, 0},
956		{0, 0}
957		}
958	},
959	{1, 0, 2, 0,		/* 0x7b */
960		{{0, 1},
961		{3, 6},
962		{0, 0},
963		{0, 0}
964		}
965	},
966	{0, 0, 1, 0,		/* 0x7c */
967		{{2, 6},
968		{0, 0},
969		{0, 0},
970		{0, 0}
971		}
972	},
973	{1, 0, 2, 0,		/* 0x7d */
974		{{0, 0},
975		{2, 6},
976		{0, 0},
977		{0, 0}
978		}
979	},
980	{0, 0, 1, 0,		/* 0x7e */
981		{{1, 6},
982		{0, 0},
983		{0, 0},
984		{0, 0}
985		}
986	},
987	{1, 0, 1, 0,		/* 0x7f */
988		{{0, 6},
989		{0, 0},
990		{0, 0},
991		{0, 0}
992		}
993	},
994	{0, 1, 1, 0,		/* 0x80 */
995		{{7, 7},
996		{0, 0},
997		{0, 0},
998		{0, 0}
999		}
1000	},
1001	{1, 1, 2, 0,		/* 0x81 */
1002		{{0, 0},
1003		{7, 7},
1004		{0, 0},
1005		{0, 0}
1006		}
1007	},
1008	{0, 1, 2, 0,		/* 0x82 */
1009		{{1, 1},
1010		{7, 7},
1011		{0, 0},
1012		{0, 0}
1013		}
1014	},
1015	{1, 1, 2, 0,		/* 0x83 */
1016		{{0, 1},
1017		{7, 7},
1018		{0, 0},
1019		{0, 0}
1020		}
1021	},
1022	{0, 1, 2, 0,		/* 0x84 */
1023		{{2, 2},
1024		{7, 7},
1025		{0, 0},
1026		{0, 0}
1027		}
1028	},
1029	{1, 1, 3, 0,		/* 0x85 */
1030		{{0, 0},
1031		{2, 2},
1032		{7, 7},
1033		{0, 0}
1034		}
1035	},
1036	{0, 1, 2, 0,		/* 0x86 */
1037		{{1, 2},
1038		{7, 7},
1039		{0, 0},
1040		{0, 0}
1041		}
1042	},
1043	{1, 1, 2, 0,		/* 0x87 */
1044		{{0, 2},
1045		{7, 7},
1046		{0, 0},
1047		{0, 0}
1048		}
1049	},
1050	{0, 1, 2, 0,		/* 0x88 */
1051		{{3, 3},
1052		{7, 7},
1053		{0, 0},
1054		{0, 0}
1055		}
1056	},
1057	{1, 1, 3, 0,		/* 0x89 */
1058		{{0, 0},
1059		{3, 3},
1060		{7, 7},
1061		{0, 0}
1062		}
1063	},
1064	{0, 1, 3, 0,		/* 0x8a */
1065		{{1, 1},
1066		{3, 3},
1067		{7, 7},
1068		{0, 0}
1069		}
1070	},
1071	{1, 1, 3, 0,		/* 0x8b */
1072		{{0, 1},
1073		{3, 3},
1074		{7, 7},
1075		{0, 0}
1076		}
1077	},
1078	{0, 1, 2, 0,		/* 0x8c */
1079		{{2, 3},
1080		{7, 7},
1081		{0, 0},
1082		{0, 0}
1083		}
1084	},
1085	{1, 1, 3, 0,		/* 0x8d */
1086		{{0, 0},
1087		{2, 3},
1088		{7, 7},
1089		{0, 0}
1090		}
1091	},
1092	{0, 1, 2, 0,		/* 0x8e */
1093		{{1, 3},
1094		{7, 7},
1095		{0, 0},
1096		{0, 0}
1097		}
1098	},
1099	{1, 1, 2, 0,		/* 0x8f */
1100		{{0, 3},
1101		{7, 7},
1102		{0, 0},
1103		{0, 0}
1104		}
1105	},
1106	{0, 1, 2, 0,		/* 0x90 */
1107		{{4, 4},
1108		{7, 7},
1109		{0, 0},
1110		{0, 0}
1111		}
1112	},
1113	{1, 1, 3, 0,		/* 0x91 */
1114		{{0, 0},
1115		{4, 4},
1116		{7, 7},
1117		{0, 0}
1118		}
1119	},
1120	{0, 1, 3, 0,		/* 0x92 */
1121		{{1, 1},
1122		{4, 4},
1123		{7, 7},
1124		{0, 0}
1125		}
1126	},
1127	{1, 1, 3, 0,		/* 0x93 */
1128		{{0, 1},
1129		{4, 4},
1130		{7, 7},
1131		{0, 0}
1132		}
1133	},
1134	{0, 1, 3, 0,		/* 0x94 */
1135		{{2, 2},
1136		{4, 4},
1137		{7, 7},
1138		{0, 0}
1139		}
1140	},
1141	{1, 1, 4, 0,		/* 0x95 */
1142		{{0, 0},
1143		{2, 2},
1144		{4, 4},
1145		{7, 7}
1146		}
1147	},
1148	{0, 1, 3, 0,		/* 0x96 */
1149		{{1, 2},
1150		{4, 4},
1151		{7, 7},
1152		{0, 0}
1153		}
1154	},
1155	{1, 1, 3, 0,		/* 0x97 */
1156		{{0, 2},
1157		{4, 4},
1158		{7, 7},
1159		{0, 0}
1160		}
1161	},
1162	{0, 1, 2, 0,		/* 0x98 */
1163		{{3, 4},
1164		{7, 7},
1165		{0, 0},
1166		{0, 0}
1167		}
1168	},
1169	{1, 1, 3, 0,		/* 0x99 */
1170		{{0, 0},
1171		{3, 4},
1172		{7, 7},
1173		{0, 0}
1174		}
1175	},
1176	{0, 1, 3, 0,		/* 0x9a */
1177		{{1, 1},
1178		{3, 4},
1179		{7, 7},
1180		{0, 0}
1181		}
1182	},
1183	{1, 1, 3, 0,		/* 0x9b */
1184		{{0, 1},
1185		{3, 4},
1186		{7, 7},
1187		{0, 0}
1188		}
1189	},
1190	{0, 1, 2, 0,		/* 0x9c */
1191		{{2, 4},
1192		{7, 7},
1193		{0, 0},
1194		{0, 0}
1195		}
1196	},
1197	{1, 1, 3, 0,		/* 0x9d */
1198		{{0, 0},
1199		{2, 4},
1200		{7, 7},
1201		{0, 0}
1202		}
1203	},
1204	{0, 1, 2, 0,		/* 0x9e */
1205		{{1, 4},
1206		{7, 7},
1207		{0, 0},
1208		{0, 0}
1209		}
1210	},
1211	{1, 1, 2, 0,		/* 0x9f */
1212		{{0, 4},
1213		{7, 7},
1214		{0, 0},
1215		{0, 0}
1216		}
1217	},
1218	{0, 1, 2, 0,		/* 0xa0 */
1219		{{5, 5},
1220		{7, 7},
1221		{0, 0},
1222		{0, 0}
1223		}
1224	},
1225	{1, 1, 3, 0,		/* 0xa1 */
1226		{{0, 0},
1227		{5, 5},
1228		{7, 7},
1229		{0, 0}
1230		}
1231	},
1232	{0, 1, 3, 0,		/* 0xa2 */
1233		{{1, 1},
1234		{5, 5},
1235		{7, 7},
1236		{0, 0}
1237		}
1238	},
1239	{1, 1, 3, 0,		/* 0xa3 */
1240		{{0, 1},
1241		{5, 5},
1242		{7, 7},
1243		{0, 0}
1244		}
1245	},
1246	{0, 1, 3, 0,		/* 0xa4 */
1247		{{2, 2},
1248		{5, 5},
1249		{7, 7},
1250		{0, 0}
1251		}
1252	},
1253	{1, 1, 4, 0,		/* 0xa5 */
1254		{{0, 0},
1255		{2, 2},
1256		{5, 5},
1257		{7, 7}
1258		}
1259	},
1260	{0, 1, 3, 0,		/* 0xa6 */
1261		{{1, 2},
1262		{5, 5},
1263		{7, 7},
1264		{0, 0}
1265		}
1266	},
1267	{1, 1, 3, 0,		/* 0xa7 */
1268		{{0, 2},
1269		{5, 5},
1270		{7, 7},
1271		{0, 0}
1272		}
1273	},
1274	{0, 1, 3, 0,		/* 0xa8 */
1275		{{3, 3},
1276		{5, 5},
1277		{7, 7},
1278		{0, 0}
1279		}
1280	},
1281	{1, 1, 4, 0,		/* 0xa9 */
1282		{{0, 0},
1283		{3, 3},
1284		{5, 5},
1285		{7, 7}
1286		}
1287	},
1288	{0, 1, 4, 0,		/* 0xaa */
1289		{{1, 1},
1290		{3, 3},
1291		{5, 5},
1292		{7, 7}
1293		}
1294	},
1295	{1, 1, 4, 0,		/* 0xab */
1296		{{0, 1},
1297		{3, 3},
1298		{5, 5},
1299		{7, 7}
1300		}
1301	},
1302	{0, 1, 3, 0,		/* 0xac */
1303		{{2, 3},
1304		{5, 5},
1305		{7, 7},
1306		{0, 0}
1307		}
1308	},
1309	{1, 1, 4, 0,		/* 0xad */
1310		{{0, 0},
1311		{2, 3},
1312		{5, 5},
1313		{7, 7}
1314		}
1315	},
1316	{0, 1, 3, 0,		/* 0xae */
1317		{{1, 3},
1318		{5, 5},
1319		{7, 7},
1320		{0, 0}
1321		}
1322	},
1323	{1, 1, 3, 0,		/* 0xaf */
1324		{{0, 3},
1325		{5, 5},
1326		{7, 7},
1327		{0, 0}
1328		}
1329	},
1330	{0, 1, 2, 0,		/* 0xb0 */
1331		{{4, 5},
1332		{7, 7},
1333		{0, 0},
1334		{0, 0}
1335		}
1336	},
1337	{1, 1, 3, 0,		/* 0xb1 */
1338		{{0, 0},
1339		{4, 5},
1340		{7, 7},
1341		{0, 0}
1342		}
1343	},
1344	{0, 1, 3, 0,		/* 0xb2 */
1345		{{1, 1},
1346		{4, 5},
1347		{7, 7},
1348		{0, 0}
1349		}
1350	},
1351	{1, 1, 3, 0,		/* 0xb3 */
1352		{{0, 1},
1353		{4, 5},
1354		{7, 7},
1355		{0, 0}
1356		}
1357	},
1358	{0, 1, 3, 0,		/* 0xb4 */
1359		{{2, 2},
1360		{4, 5},
1361		{7, 7},
1362		{0, 0}
1363		}
1364	},
1365	{1, 1, 4, 0,		/* 0xb5 */
1366		{{0, 0},
1367		{2, 2},
1368		{4, 5},
1369		{7, 7}
1370		}
1371	},
1372	{0, 1, 3, 0,		/* 0xb6 */
1373		{{1, 2},
1374		{4, 5},
1375		{7, 7},
1376		{0, 0}
1377		}
1378	},
1379	{1, 1, 3, 0,		/* 0xb7 */
1380		{{0, 2},
1381		{4, 5},
1382		{7, 7},
1383		{0, 0}
1384		}
1385	},
1386	{0, 1, 2, 0,		/* 0xb8 */
1387		{{3, 5},
1388		{7, 7},
1389		{0, 0},
1390		{0, 0}
1391		}
1392	},
1393	{1, 1, 3, 0,		/* 0xb9 */
1394		{{0, 0},
1395		{3, 5},
1396		{7, 7},
1397		{0, 0}
1398		}
1399	},
1400	{0, 1, 3, 0,		/* 0xba */
1401		{{1, 1},
1402		{3, 5},
1403		{7, 7},
1404		{0, 0}
1405		}
1406	},
1407	{1, 1, 3, 0,		/* 0xbb */
1408		{{0, 1},
1409		{3, 5},
1410		{7, 7},
1411		{0, 0}
1412		}
1413	},
1414	{0, 1, 2, 0,		/* 0xbc */
1415		{{2, 5},
1416		{7, 7},
1417		{0, 0},
1418		{0, 0}
1419		}
1420	},
1421	{1, 1, 3, 0,		/* 0xbd */
1422		{{0, 0},
1423		{2, 5},
1424		{7, 7},
1425		{0, 0}
1426		}
1427	},
1428	{0, 1, 2, 0,		/* 0xbe */
1429		{{1, 5},
1430		{7, 7},
1431		{0, 0},
1432		{0, 0}
1433		}
1434	},
1435	{1, 1, 2, 0,		/* 0xbf */
1436		{{0, 5},
1437		{7, 7},
1438		{0, 0},
1439		{0, 0}
1440		}
1441	},
1442	{0, 1, 1, 0,		/* 0xc0 */
1443		{{6, 7},
1444		{0, 0},
1445		{0, 0},
1446		{0, 0}
1447		}
1448	},
1449	{1, 1, 2, 0,		/* 0xc1 */
1450		{{0, 0},
1451		{6, 7},
1452		{0, 0},
1453		{0, 0}
1454		}
1455	},
1456	{0, 1, 2, 0,		/* 0xc2 */
1457		{{1, 1},
1458		{6, 7},
1459		{0, 0},
1460		{0, 0}
1461		}
1462	},
1463	{1, 1, 2, 0,		/* 0xc3 */
1464		{{0, 1},
1465		{6, 7},
1466		{0, 0},
1467		{0, 0}
1468		}
1469	},
1470	{0, 1, 2, 0,		/* 0xc4 */
1471		{{2, 2},
1472		{6, 7},
1473		{0, 0},
1474		{0, 0}
1475		}
1476	},
1477	{1, 1, 3, 0,		/* 0xc5 */
1478		{{0, 0},
1479		{2, 2},
1480		{6, 7},
1481		{0, 0}
1482		}
1483	},
1484	{0, 1, 2, 0,		/* 0xc6 */
1485		{{1, 2},
1486		{6, 7},
1487		{0, 0},
1488		{0, 0}
1489		}
1490	},
1491	{1, 1, 2, 0,		/* 0xc7 */
1492		{{0, 2},
1493		{6, 7},
1494		{0, 0},
1495		{0, 0}
1496		}
1497	},
1498	{0, 1, 2, 0,		/* 0xc8 */
1499		{{3, 3},
1500		{6, 7},
1501		{0, 0},
1502		{0, 0}
1503		}
1504	},
1505	{1, 1, 3, 0,		/* 0xc9 */
1506		{{0, 0},
1507		{3, 3},
1508		{6, 7},
1509		{0, 0}
1510		}
1511	},
1512	{0, 1, 3, 0,		/* 0xca */
1513		{{1, 1},
1514		{3, 3},
1515		{6, 7},
1516		{0, 0}
1517		}
1518	},
1519	{1, 1, 3, 0,		/* 0xcb */
1520		{{0, 1},
1521		{3, 3},
1522		{6, 7},
1523		{0, 0}
1524		}
1525	},
1526	{0, 1, 2, 0,		/* 0xcc */
1527		{{2, 3},
1528		{6, 7},
1529		{0, 0},
1530		{0, 0}
1531		}
1532	},
1533	{1, 1, 3, 0,		/* 0xcd */
1534		{{0, 0},
1535		{2, 3},
1536		{6, 7},
1537		{0, 0}
1538		}
1539	},
1540	{0, 1, 2, 0,		/* 0xce */
1541		{{1, 3},
1542		{6, 7},
1543		{0, 0},
1544		{0, 0}
1545		}
1546	},
1547	{1, 1, 2, 0,		/* 0xcf */
1548		{{0, 3},
1549		{6, 7},
1550		{0, 0},
1551		{0, 0}
1552		}
1553	},
1554	{0, 1, 2, 0,		/* 0xd0 */
1555		{{4, 4},
1556		{6, 7},
1557		{0, 0},
1558		{0, 0}
1559		}
1560	},
1561	{1, 1, 3, 0,		/* 0xd1 */
1562		{{0, 0},
1563		{4, 4},
1564		{6, 7},
1565		{0, 0}
1566		}
1567	},
1568	{0, 1, 3, 0,		/* 0xd2 */
1569		{{1, 1},
1570		{4, 4},
1571		{6, 7},
1572		{0, 0}
1573		}
1574	},
1575	{1, 1, 3, 0,		/* 0xd3 */
1576		{{0, 1},
1577		{4, 4},
1578		{6, 7},
1579		{0, 0}
1580		}
1581	},
1582	{0, 1, 3, 0,		/* 0xd4 */
1583		{{2, 2},
1584		{4, 4},
1585		{6, 7},
1586		{0, 0}
1587		}
1588	},
1589	{1, 1, 4, 0,		/* 0xd5 */
1590		{{0, 0},
1591		{2, 2},
1592		{4, 4},
1593		{6, 7}
1594		}
1595	},
1596	{0, 1, 3, 0,		/* 0xd6 */
1597		{{1, 2},
1598		{4, 4},
1599		{6, 7},
1600		{0, 0}
1601		}
1602	},
1603	{1, 1, 3, 0,		/* 0xd7 */
1604		{{0, 2},
1605		{4, 4},
1606		{6, 7},
1607		{0, 0}
1608		}
1609	},
1610	{0, 1, 2, 0,		/* 0xd8 */
1611		{{3, 4},
1612		{6, 7},
1613		{0, 0},
1614		{0, 0}
1615		}
1616	},
1617	{1, 1, 3, 0,		/* 0xd9 */
1618		{{0, 0},
1619		{3, 4},
1620		{6, 7},
1621		{0, 0}
1622		}
1623	},
1624	{0, 1, 3, 0,		/* 0xda */
1625		{{1, 1},
1626		{3, 4},
1627		{6, 7},
1628		{0, 0}
1629		}
1630	},
1631	{1, 1, 3, 0,		/* 0xdb */
1632		{{0, 1},
1633		{3, 4},
1634		{6, 7},
1635		{0, 0}
1636		}
1637	},
1638	{0, 1, 2, 0,		/* 0xdc */
1639		{{2, 4},
1640		{6, 7},
1641		{0, 0},
1642		{0, 0}
1643		}
1644	},
1645	{1, 1, 3, 0,		/* 0xdd */
1646		{{0, 0},
1647		{2, 4},
1648		{6, 7},
1649		{0, 0}
1650		}
1651	},
1652	{0, 1, 2, 0,		/* 0xde */
1653		{{1, 4},
1654		{6, 7},
1655		{0, 0},
1656		{0, 0}
1657		}
1658	},
1659	{1, 1, 2, 0,		/* 0xdf */
1660		{{0, 4},
1661		{6, 7},
1662		{0, 0},
1663		{0, 0}
1664		}
1665	},
1666	{0, 1, 1, 0,		/* 0xe0 */
1667		{{5, 7},
1668		{0, 0},
1669		{0, 0},
1670		{0, 0}
1671		}
1672	},
1673	{1, 1, 2, 0,		/* 0xe1 */
1674		{{0, 0},
1675		{5, 7},
1676		{0, 0},
1677		{0, 0}
1678		}
1679	},
1680	{0, 1, 2, 0,		/* 0xe2 */
1681		{{1, 1},
1682		{5, 7},
1683		{0, 0},
1684		{0, 0}
1685		}
1686	},
1687	{1, 1, 2, 0,		/* 0xe3 */
1688		{{0, 1},
1689		{5, 7},
1690		{0, 0},
1691		{0, 0}
1692		}
1693	},
1694	{0, 1, 2, 0,		/* 0xe4 */
1695		{{2, 2},
1696		{5, 7},
1697		{0, 0},
1698		{0, 0}
1699		}
1700	},
1701	{1, 1, 3, 0,		/* 0xe5 */
1702		{{0, 0},
1703		{2, 2},
1704		{5, 7},
1705		{0, 0}
1706		}
1707	},
1708	{0, 1, 2, 0,		/* 0xe6 */
1709		{{1, 2},
1710		{5, 7},
1711		{0, 0},
1712		{0, 0}
1713		}
1714	},
1715	{1, 1, 2, 0,		/* 0xe7 */
1716		{{0, 2},
1717		{5, 7},
1718		{0, 0},
1719		{0, 0}
1720		}
1721	},
1722	{0, 1, 2, 0,		/* 0xe8 */
1723		{{3, 3},
1724		{5, 7},
1725		{0, 0},
1726		{0, 0}
1727		}
1728	},
1729	{1, 1, 3, 0,		/* 0xe9 */
1730		{{0, 0},
1731		{3, 3},
1732		{5, 7},
1733		{0, 0}
1734		}
1735	},
1736	{0, 1, 3, 0,		/* 0xea */
1737		{{1, 1},
1738		{3, 3},
1739		{5, 7},
1740		{0, 0}
1741		}
1742	},
1743	{1, 1, 3, 0,		/* 0xeb */
1744		{{0, 1},
1745		{3, 3},
1746		{5, 7},
1747		{0, 0}
1748		}
1749	},
1750	{0, 1, 2, 0,		/* 0xec */
1751		{{2, 3},
1752		{5, 7},
1753		{0, 0},
1754		{0, 0}
1755		}
1756	},
1757	{1, 1, 3, 0,		/* 0xed */
1758		{{0, 0},
1759		{2, 3},
1760		{5, 7},
1761		{0, 0}
1762		}
1763	},
1764	{0, 1, 2, 0,		/* 0xee */
1765		{{1, 3},
1766		{5, 7},
1767		{0, 0},
1768		{0, 0}
1769		}
1770	},
1771	{1, 1, 2, 0,		/* 0xef */
1772		{{0, 3},
1773		{5, 7},
1774		{0, 0},
1775		{0, 0}
1776		}
1777	},
1778	{0, 1, 1, 0,		/* 0xf0 */
1779		{{4, 7},
1780		{0, 0},
1781		{0, 0},
1782		{0, 0}
1783		}
1784	},
1785	{1, 1, 2, 0,		/* 0xf1 */
1786		{{0, 0},
1787		{4, 7},
1788		{0, 0},
1789		{0, 0}
1790		}
1791	},
1792	{0, 1, 2, 0,		/* 0xf2 */
1793		{{1, 1},
1794		{4, 7},
1795		{0, 0},
1796		{0, 0}
1797		}
1798	},
1799	{1, 1, 2, 0,		/* 0xf3 */
1800		{{0, 1},
1801		{4, 7},
1802		{0, 0},
1803		{0, 0}
1804		}
1805	},
1806	{0, 1, 2, 0,		/* 0xf4 */
1807		{{2, 2},
1808		{4, 7},
1809		{0, 0},
1810		{0, 0}
1811		}
1812	},
1813	{1, 1, 3, 0,		/* 0xf5 */
1814		{{0, 0},
1815		{2, 2},
1816		{4, 7},
1817		{0, 0}
1818		}
1819	},
1820	{0, 1, 2, 0,		/* 0xf6 */
1821		{{1, 2},
1822		{4, 7},
1823		{0, 0},
1824		{0, 0}
1825		}
1826	},
1827	{1, 1, 2, 0,		/* 0xf7 */
1828		{{0, 2},
1829		{4, 7},
1830		{0, 0},
1831		{0, 0}
1832		}
1833	},
1834	{0, 1, 1, 0,		/* 0xf8 */
1835		{{3, 7},
1836		{0, 0},
1837		{0, 0},
1838		{0, 0}
1839		}
1840	},
1841	{1, 1, 2, 0,		/* 0xf9 */
1842		{{0, 0},
1843		{3, 7},
1844		{0, 0},
1845		{0, 0}
1846		}
1847	},
1848	{0, 1, 2, 0,		/* 0xfa */
1849		{{1, 1},
1850		{3, 7},
1851		{0, 0},
1852		{0, 0}
1853		}
1854	},
1855	{1, 1, 2, 0,		/* 0xfb */
1856		{{0, 1},
1857		{3, 7},
1858		{0, 0},
1859		{0, 0}
1860		}
1861	},
1862	{0, 1, 1, 0,		/* 0xfc */
1863		{{2, 7},
1864		{0, 0},
1865		{0, 0},
1866		{0, 0}
1867		}
1868	},
1869	{1, 1, 2, 0,		/* 0xfd */
1870		{{0, 0},
1871		{2, 7},
1872		{0, 0},
1873		{0, 0}
1874		}
1875	},
1876	{0, 1, 1, 0,		/* 0xfe */
1877		{{1, 7},
1878		{0, 0},
1879		{0, 0},
1880		{0, 0}
1881		}
1882	},
1883	{1, 1, 1, 0,		/* 0xff */
1884		{{0, 7},
1885		{0, 0},
1886		{0, 0},
1887		{0, 0}
1888		}
1889	}
1890};
1891
1892
1893int
1894sctp_is_address_in_scope(struct sctp_ifa *ifa,
1895                         struct sctp_scoping *scope,
1896                         int do_update)
1897{
1898	if ((scope->loopback_scope == 0) &&
1899	    (ifa->ifn_p) && SCTP_IFN_IS_IFT_LOOP(ifa->ifn_p)) {
1900		/*
1901		 * skip loopback if not in scope *
1902		 */
1903		return (0);
1904	}
1905	switch (ifa->address.sa.sa_family) {
1906#ifdef INET
1907	case AF_INET:
1908		if (scope->ipv4_addr_legal) {
1909			struct sockaddr_in *sin;
1910
1911			sin = &ifa->address.sin;
1912			if (sin->sin_addr.s_addr == 0) {
1913				/* not in scope , unspecified */
1914				return (0);
1915			}
1916			if ((scope->ipv4_local_scope == 0) &&
1917			    (IN4_ISPRIVATE_ADDRESS(&sin->sin_addr))) {
1918				/* private address not in scope */
1919				return (0);
1920			}
1921		} else {
1922			return (0);
1923		}
1924		break;
1925#endif
1926#ifdef INET6
1927	case AF_INET6:
1928		if (scope->ipv6_addr_legal) {
1929			struct sockaddr_in6 *sin6;
1930
1931#if !defined(__Panda__)
1932			/* Must update the flags,  bummer, which
1933			 * means any IFA locks must now be applied HERE <->
1934			 */
1935			if (do_update) {
1936				sctp_gather_internal_ifa_flags(ifa);
1937			}
1938#endif
1939			if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
1940				return (0);
1941			}
1942			/* ok to use deprecated addresses? */
1943			sin6 = &ifa->address.sin6;
1944			if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
1945				/* skip unspecifed addresses */
1946				return (0);
1947			}
1948			if (		/* (local_scope == 0) && */
1949			    (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))) {
1950				return (0);
1951			}
1952			if ((scope->site_scope == 0) &&
1953			    (IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr))) {
1954				return (0);
1955			}
1956		} else {
1957			return (0);
1958		}
1959		break;
1960#endif
1961#if defined(__Userspace__)
1962	case AF_CONN:
1963		if (!scope->conn_addr_legal) {
1964			return (0);
1965		}
1966		break;
1967#endif
1968	default:
1969		return (0);
1970	}
1971	return (1);
1972}
1973
1974static struct mbuf *
1975sctp_add_addr_to_mbuf(struct mbuf *m, struct sctp_ifa *ifa, uint16_t *len)
1976{
1977#if defined(INET) || defined(INET6)
1978	struct sctp_paramhdr *parmh;
1979	struct mbuf *mret;
1980	uint16_t plen;
1981#endif
1982
1983	switch (ifa->address.sa.sa_family) {
1984#ifdef INET
1985	case AF_INET:
1986		plen = (uint16_t)sizeof(struct sctp_ipv4addr_param);
1987		break;
1988#endif
1989#ifdef INET6
1990	case AF_INET6:
1991		plen = (uint16_t)sizeof(struct sctp_ipv6addr_param);
1992		break;
1993#endif
1994	default:
1995		return (m);
1996	}
1997#if defined(INET) || defined(INET6)
1998	if (M_TRAILINGSPACE(m) >= plen) {
1999		/* easy side we just drop it on the end */
2000		parmh = (struct sctp_paramhdr *)(SCTP_BUF_AT(m, SCTP_BUF_LEN(m)));
2001		mret = m;
2002	} else {
2003		/* Need more space */
2004		mret = m;
2005		while (SCTP_BUF_NEXT(mret) != NULL) {
2006			mret = SCTP_BUF_NEXT(mret);
2007		}
2008		SCTP_BUF_NEXT(mret) = sctp_get_mbuf_for_msg(plen, 0, M_NOWAIT, 1, MT_DATA);
2009		if (SCTP_BUF_NEXT(mret) == NULL) {
2010			/* We are hosed, can't add more addresses */
2011			return (m);
2012		}
2013		mret = SCTP_BUF_NEXT(mret);
2014		parmh = mtod(mret, struct sctp_paramhdr *);
2015	}
2016	/* now add the parameter */
2017	switch (ifa->address.sa.sa_family) {
2018#ifdef INET
2019	case AF_INET:
2020	{
2021		struct sctp_ipv4addr_param *ipv4p;
2022		struct sockaddr_in *sin;
2023
2024		sin = &ifa->address.sin;
2025		ipv4p = (struct sctp_ipv4addr_param *)parmh;
2026		parmh->param_type = htons(SCTP_IPV4_ADDRESS);
2027		parmh->param_length = htons(plen);
2028		ipv4p->addr = sin->sin_addr.s_addr;
2029		SCTP_BUF_LEN(mret) += plen;
2030		break;
2031	}
2032#endif
2033#ifdef INET6
2034	case AF_INET6:
2035	{
2036		struct sctp_ipv6addr_param *ipv6p;
2037		struct sockaddr_in6 *sin6;
2038
2039		sin6 = &ifa->address.sin6;
2040		ipv6p = (struct sctp_ipv6addr_param *)parmh;
2041		parmh->param_type = htons(SCTP_IPV6_ADDRESS);
2042		parmh->param_length = htons(plen);
2043		memcpy(ipv6p->addr, &sin6->sin6_addr,
2044		    sizeof(ipv6p->addr));
2045#if defined(SCTP_EMBEDDED_V6_SCOPE)
2046		/* clear embedded scope in the address */
2047		in6_clearscope((struct in6_addr *)ipv6p->addr);
2048#endif
2049		SCTP_BUF_LEN(mret) += plen;
2050		break;
2051	}
2052#endif
2053	default:
2054		return (m);
2055	}
2056	if (len != NULL) {
2057		*len += plen;
2058	}
2059	return (mret);
2060#endif
2061}
2062
2063
2064struct mbuf *
2065sctp_add_addresses_to_i_ia(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
2066                           struct sctp_scoping *scope,
2067			   struct mbuf *m_at, int cnt_inits_to,
2068			   uint16_t *padding_len, uint16_t *chunk_len)
2069{
2070	struct sctp_vrf *vrf = NULL;
2071	int cnt, limit_out = 0, total_count;
2072	uint32_t vrf_id;
2073
2074	vrf_id = inp->def_vrf_id;
2075	SCTP_IPI_ADDR_RLOCK();
2076	vrf = sctp_find_vrf(vrf_id);
2077	if (vrf == NULL) {
2078		SCTP_IPI_ADDR_RUNLOCK();
2079		return (m_at);
2080	}
2081	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
2082		struct sctp_ifa *sctp_ifap;
2083		struct sctp_ifn *sctp_ifnp;
2084
2085		cnt = cnt_inits_to;
2086		if (vrf->total_ifa_count > SCTP_COUNT_LIMIT) {
2087			limit_out = 1;
2088			cnt = SCTP_ADDRESS_LIMIT;
2089			goto skip_count;
2090		}
2091		LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2092			if ((scope->loopback_scope == 0) &&
2093			    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2094				/*
2095				 * Skip loopback devices if loopback_scope
2096				 * not set
2097				 */
2098				continue;
2099			}
2100			LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2101#if defined(__FreeBSD__)
2102#ifdef INET
2103				if ((sctp_ifap->address.sa.sa_family == AF_INET) &&
2104				    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2105				                      &sctp_ifap->address.sin.sin_addr) != 0)) {
2106					continue;
2107				}
2108#endif
2109#ifdef INET6
2110				if ((sctp_ifap->address.sa.sa_family == AF_INET6) &&
2111				    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2112				                      &sctp_ifap->address.sin6.sin6_addr) != 0)) {
2113					continue;
2114				}
2115#endif
2116#endif
2117				if (sctp_is_addr_restricted(stcb, sctp_ifap)) {
2118					continue;
2119				}
2120#if defined(__Userspace__)
2121				if (sctp_ifap->address.sa.sa_family == AF_CONN) {
2122					continue;
2123				}
2124#endif
2125				if (sctp_is_address_in_scope(sctp_ifap, scope, 1) == 0) {
2126					continue;
2127				}
2128				cnt++;
2129				if (cnt > SCTP_ADDRESS_LIMIT) {
2130					break;
2131				}
2132			}
2133			if (cnt > SCTP_ADDRESS_LIMIT) {
2134				break;
2135			}
2136		}
2137	skip_count:
2138		if (cnt > 1) {
2139			total_count = 0;
2140			LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2141				cnt = 0;
2142				if ((scope->loopback_scope == 0) &&
2143				    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2144					/*
2145					 * Skip loopback devices if
2146					 * loopback_scope not set
2147					 */
2148					continue;
2149				}
2150				LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2151#if defined(__FreeBSD__)
2152#ifdef INET
2153					if ((sctp_ifap->address.sa.sa_family == AF_INET) &&
2154					    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2155					                      &sctp_ifap->address.sin.sin_addr) != 0)) {
2156						continue;
2157					}
2158#endif
2159#ifdef INET6
2160					if ((sctp_ifap->address.sa.sa_family == AF_INET6) &&
2161					    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2162					                      &sctp_ifap->address.sin6.sin6_addr) != 0)) {
2163						continue;
2164					}
2165#endif
2166#endif
2167					if (sctp_is_addr_restricted(stcb, sctp_ifap)) {
2168						continue;
2169					}
2170#if defined(__Userspace__)
2171					if (sctp_ifap->address.sa.sa_family == AF_CONN) {
2172						continue;
2173					}
2174#endif
2175					if (sctp_is_address_in_scope(sctp_ifap,
2176								     scope, 0) == 0) {
2177						continue;
2178					}
2179					if ((chunk_len != NULL) &&
2180					    (padding_len != NULL) &&
2181					    (*padding_len > 0)) {
2182						memset(mtod(m_at, caddr_t) + *chunk_len, 0, *padding_len);
2183						SCTP_BUF_LEN(m_at) += *padding_len;
2184						*chunk_len += *padding_len;
2185						*padding_len = 0;
2186					}
2187					m_at = sctp_add_addr_to_mbuf(m_at, sctp_ifap, chunk_len);
2188					if (limit_out) {
2189						cnt++;
2190						total_count++;
2191						if (cnt >= 2) {
2192							/* two from each address */
2193							break;
2194						}
2195						if (total_count > SCTP_ADDRESS_LIMIT) {
2196							/* No more addresses */
2197							break;
2198						}
2199					}
2200				}
2201			}
2202		}
2203	} else {
2204		struct sctp_laddr *laddr;
2205
2206		cnt = cnt_inits_to;
2207		/* First, how many ? */
2208		LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2209			if (laddr->ifa == NULL) {
2210				continue;
2211			}
2212			if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED)
2213				/* Address being deleted by the system, dont
2214				 * list.
2215				 */
2216				continue;
2217			if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2218				/* Address being deleted on this ep
2219				 * don't list.
2220				 */
2221				continue;
2222			}
2223#if defined(__Userspace__)
2224			if (laddr->ifa->address.sa.sa_family == AF_CONN) {
2225				continue;
2226			}
2227#endif
2228			if (sctp_is_address_in_scope(laddr->ifa,
2229						     scope, 1) == 0) {
2230				continue;
2231			}
2232			cnt++;
2233		}
2234		/*
2235		 * To get through a NAT we only list addresses if we have
2236		 * more than one. That way if you just bind a single address
2237		 * we let the source of the init dictate our address.
2238		 */
2239		if (cnt > 1) {
2240			cnt = cnt_inits_to;
2241			LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2242				if (laddr->ifa == NULL) {
2243					continue;
2244				}
2245				if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED) {
2246					continue;
2247				}
2248#if defined(__Userspace__)
2249				if (laddr->ifa->address.sa.sa_family == AF_CONN) {
2250					continue;
2251				}
2252#endif
2253				if (sctp_is_address_in_scope(laddr->ifa,
2254							     scope, 0) == 0) {
2255					continue;
2256				}
2257				if ((chunk_len != NULL) &&
2258				    (padding_len != NULL) &&
2259				    (*padding_len > 0)) {
2260					memset(mtod(m_at, caddr_t) + *chunk_len, 0, *padding_len);
2261					SCTP_BUF_LEN(m_at) += *padding_len;
2262					*chunk_len += *padding_len;
2263					*padding_len = 0;
2264				}
2265				m_at = sctp_add_addr_to_mbuf(m_at, laddr->ifa, chunk_len);
2266				cnt++;
2267				if (cnt >= SCTP_ADDRESS_LIMIT) {
2268					break;
2269				}
2270			}
2271		}
2272	}
2273	SCTP_IPI_ADDR_RUNLOCK();
2274	return (m_at);
2275}
2276
2277static struct sctp_ifa *
2278sctp_is_ifa_addr_preferred(struct sctp_ifa *ifa,
2279			   uint8_t dest_is_loop,
2280			   uint8_t dest_is_priv,
2281			   sa_family_t fam)
2282{
2283	uint8_t dest_is_global = 0;
2284	/* dest_is_priv is true if destination is a private address */
2285	/* dest_is_loop is true if destination is a loopback addresses */
2286
2287	/**
2288	 * Here we determine if its a preferred address. A preferred address
2289	 * means it is the same scope or higher scope then the destination.
2290	 * L = loopback, P = private, G = global
2291	 * -----------------------------------------
2292	 *    src    |  dest | result
2293	 *  ----------------------------------------
2294	 *     L     |    L  |    yes
2295	 *  -----------------------------------------
2296	 *     P     |    L  |    yes-v4 no-v6
2297	 *  -----------------------------------------
2298	 *     G     |    L  |    yes-v4 no-v6
2299	 *  -----------------------------------------
2300	 *     L     |    P  |    no
2301	 *  -----------------------------------------
2302	 *     P     |    P  |    yes
2303	 *  -----------------------------------------
2304	 *     G     |    P  |    no
2305	 *   -----------------------------------------
2306	 *     L     |    G  |    no
2307	 *   -----------------------------------------
2308	 *     P     |    G  |    no
2309	 *    -----------------------------------------
2310	 *     G     |    G  |    yes
2311	 *    -----------------------------------------
2312	 */
2313
2314	if (ifa->address.sa.sa_family != fam) {
2315		/* forget mis-matched family */
2316		return (NULL);
2317	}
2318	if ((dest_is_priv == 0) && (dest_is_loop == 0)) {
2319		dest_is_global = 1;
2320	}
2321	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Is destination preferred:");
2322	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &ifa->address.sa);
2323	/* Ok the address may be ok */
2324#ifdef INET6
2325	if (fam == AF_INET6) {
2326		/* ok to use deprecated addresses? no lets not! */
2327		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2328			SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:1\n");
2329			return (NULL);
2330		}
2331		if (ifa->src_is_priv && !ifa->src_is_loop) {
2332			if (dest_is_loop) {
2333				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:2\n");
2334				return (NULL);
2335			}
2336		}
2337		if (ifa->src_is_glob) {
2338			if (dest_is_loop) {
2339				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:3\n");
2340				return (NULL);
2341			}
2342		}
2343	}
2344#endif
2345	/* Now that we know what is what, implement or table
2346	 * this could in theory be done slicker (it used to be), but this
2347	 * is straightforward and easier to validate :-)
2348	 */
2349	SCTPDBG(SCTP_DEBUG_OUTPUT3, "src_loop:%d src_priv:%d src_glob:%d\n",
2350		ifa->src_is_loop, ifa->src_is_priv, ifa->src_is_glob);
2351	SCTPDBG(SCTP_DEBUG_OUTPUT3, "dest_loop:%d dest_priv:%d dest_glob:%d\n",
2352		dest_is_loop, dest_is_priv, dest_is_global);
2353
2354	if ((ifa->src_is_loop) && (dest_is_priv)) {
2355		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:4\n");
2356		return (NULL);
2357	}
2358	if ((ifa->src_is_glob) && (dest_is_priv)) {
2359		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:5\n");
2360		return (NULL);
2361	}
2362	if ((ifa->src_is_loop) && (dest_is_global)) {
2363		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:6\n");
2364		return (NULL);
2365	}
2366	if ((ifa->src_is_priv) && (dest_is_global)) {
2367		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:7\n");
2368		return (NULL);
2369	}
2370	SCTPDBG(SCTP_DEBUG_OUTPUT3, "YES\n");
2371	/* its a preferred address */
2372	return (ifa);
2373}
2374
2375static struct sctp_ifa *
2376sctp_is_ifa_addr_acceptable(struct sctp_ifa *ifa,
2377			    uint8_t dest_is_loop,
2378			    uint8_t dest_is_priv,
2379			    sa_family_t fam)
2380{
2381	uint8_t dest_is_global = 0;
2382
2383	/**
2384	 * Here we determine if its a acceptable address. A acceptable
2385	 * address means it is the same scope or higher scope but we can
2386	 * allow for NAT which means its ok to have a global dest and a
2387	 * private src.
2388	 *
2389	 * L = loopback, P = private, G = global
2390	 * -----------------------------------------
2391	 *  src    |  dest | result
2392	 * -----------------------------------------
2393	 *   L     |   L   |    yes
2394	 *  -----------------------------------------
2395	 *   P     |   L   |    yes-v4 no-v6
2396	 *  -----------------------------------------
2397	 *   G     |   L   |    yes
2398	 * -----------------------------------------
2399	 *   L     |   P   |    no
2400	 * -----------------------------------------
2401	 *   P     |   P   |    yes
2402	 * -----------------------------------------
2403	 *   G     |   P   |    yes - May not work
2404	 * -----------------------------------------
2405	 *   L     |   G   |    no
2406	 * -----------------------------------------
2407	 *   P     |   G   |    yes - May not work
2408	 * -----------------------------------------
2409	 *   G     |   G   |    yes
2410	 * -----------------------------------------
2411	 */
2412
2413	if (ifa->address.sa.sa_family != fam) {
2414		/* forget non matching family */
2415		SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa_fam:%d fam:%d\n",
2416			ifa->address.sa.sa_family, fam);
2417		return (NULL);
2418	}
2419	/* Ok the address may be ok */
2420	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, &ifa->address.sa);
2421	SCTPDBG(SCTP_DEBUG_OUTPUT3, "dst_is_loop:%d dest_is_priv:%d\n",
2422		dest_is_loop, dest_is_priv);
2423	if ((dest_is_loop == 0) && (dest_is_priv == 0)) {
2424		dest_is_global = 1;
2425	}
2426#ifdef INET6
2427	if (fam == AF_INET6) {
2428		/* ok to use deprecated addresses? */
2429		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2430			return (NULL);
2431		}
2432		if (ifa->src_is_priv) {
2433			/* Special case, linklocal to loop */
2434			if (dest_is_loop)
2435				return (NULL);
2436		}
2437	}
2438#endif
2439	/*
2440	 * Now that we know what is what, implement our table.
2441	 * This could in theory be done slicker (it used to be), but this
2442	 * is straightforward and easier to validate :-)
2443	 */
2444	SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa->src_is_loop:%d dest_is_priv:%d\n",
2445		ifa->src_is_loop,
2446		dest_is_priv);
2447	if ((ifa->src_is_loop == 1) && (dest_is_priv)) {
2448		return (NULL);
2449	}
2450	SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa->src_is_loop:%d dest_is_glob:%d\n",
2451		ifa->src_is_loop,
2452		dest_is_global);
2453	if ((ifa->src_is_loop == 1) && (dest_is_global)) {
2454		return (NULL);
2455	}
2456	SCTPDBG(SCTP_DEBUG_OUTPUT3, "address is acceptable\n");
2457	/* its an acceptable address */
2458	return (ifa);
2459}
2460
2461int
2462sctp_is_addr_restricted(struct sctp_tcb *stcb, struct sctp_ifa *ifa)
2463{
2464	struct sctp_laddr *laddr;
2465
2466	if (stcb == NULL) {
2467		/* There are no restrictions, no TCB :-) */
2468		return (0);
2469	}
2470	LIST_FOREACH(laddr, &stcb->asoc.sctp_restricted_addrs, sctp_nxt_addr) {
2471		if (laddr->ifa == NULL) {
2472			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2473				__FUNCTION__);
2474			continue;
2475		}
2476		if (laddr->ifa == ifa) {
2477			/* Yes it is on the list */
2478			return (1);
2479		}
2480	}
2481	return (0);
2482}
2483
2484
2485int
2486sctp_is_addr_in_ep(struct sctp_inpcb *inp, struct sctp_ifa *ifa)
2487{
2488	struct sctp_laddr *laddr;
2489
2490	if (ifa == NULL)
2491		return (0);
2492	LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2493		if (laddr->ifa == NULL) {
2494			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2495				__FUNCTION__);
2496			continue;
2497		}
2498		if ((laddr->ifa == ifa) && laddr->action == 0)
2499			/* same pointer */
2500			return (1);
2501	}
2502	return (0);
2503}
2504
2505
2506
2507static struct sctp_ifa *
2508sctp_choose_boundspecific_inp(struct sctp_inpcb *inp,
2509			      sctp_route_t *ro,
2510			      uint32_t vrf_id,
2511			      int non_asoc_addr_ok,
2512			      uint8_t dest_is_priv,
2513			      uint8_t dest_is_loop,
2514			      sa_family_t fam)
2515{
2516	struct sctp_laddr *laddr, *starting_point;
2517	void *ifn;
2518	int resettotop = 0;
2519	struct sctp_ifn *sctp_ifn;
2520	struct sctp_ifa *sctp_ifa, *sifa;
2521	struct sctp_vrf *vrf;
2522	uint32_t ifn_index;
2523
2524	vrf = sctp_find_vrf(vrf_id);
2525	if (vrf == NULL)
2526		return (NULL);
2527
2528	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2529	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2530	sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2531	/*
2532	 * first question, is the ifn we will emit on in our list, if so, we
2533	 * want such an address. Note that we first looked for a
2534	 * preferred address.
2535	 */
2536	if (sctp_ifn) {
2537		/* is a preferred one on the interface we route out? */
2538		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2539#if defined(__FreeBSD__)
2540#ifdef INET
2541			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2542			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2543			                      &sctp_ifa->address.sin.sin_addr) != 0)) {
2544				continue;
2545			}
2546#endif
2547#ifdef INET6
2548			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2549			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2550			                      &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2551				continue;
2552			}
2553#endif
2554#endif
2555			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2556			    (non_asoc_addr_ok == 0))
2557				continue;
2558			sifa = sctp_is_ifa_addr_preferred(sctp_ifa,
2559							  dest_is_loop,
2560							  dest_is_priv, fam);
2561			if (sifa == NULL)
2562				continue;
2563			if (sctp_is_addr_in_ep(inp, sifa)) {
2564				atomic_add_int(&sifa->refcount, 1);
2565				return (sifa);
2566			}
2567		}
2568	}
2569	/*
2570	 * ok, now we now need to find one on the list of the addresses.
2571	 * We can't get one on the emitting interface so let's find first
2572	 * a preferred one. If not that an acceptable one otherwise...
2573	 * we return NULL.
2574	 */
2575	starting_point = inp->next_addr_touse;
2576 once_again:
2577	if (inp->next_addr_touse == NULL) {
2578		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2579		resettotop = 1;
2580	}
2581	for (laddr = inp->next_addr_touse; laddr;
2582	     laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2583		if (laddr->ifa == NULL) {
2584			/* address has been removed */
2585			continue;
2586		}
2587		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2588			/* address is being deleted */
2589			continue;
2590		}
2591		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop,
2592						  dest_is_priv, fam);
2593		if (sifa == NULL)
2594			continue;
2595		atomic_add_int(&sifa->refcount, 1);
2596		return (sifa);
2597	}
2598	if (resettotop == 0) {
2599		inp->next_addr_touse = NULL;
2600		goto once_again;
2601	}
2602
2603	inp->next_addr_touse = starting_point;
2604	resettotop = 0;
2605 once_again_too:
2606	if (inp->next_addr_touse == NULL) {
2607		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2608		resettotop = 1;
2609	}
2610
2611	/* ok, what about an acceptable address in the inp */
2612	for (laddr = inp->next_addr_touse; laddr;
2613	     laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2614		if (laddr->ifa == NULL) {
2615			/* address has been removed */
2616			continue;
2617		}
2618		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2619			/* address is being deleted */
2620			continue;
2621		}
2622		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2623						   dest_is_priv, fam);
2624		if (sifa == NULL)
2625			continue;
2626		atomic_add_int(&sifa->refcount, 1);
2627		return (sifa);
2628	}
2629	if (resettotop == 0) {
2630		inp->next_addr_touse = NULL;
2631		goto once_again_too;
2632	}
2633
2634	/*
2635	 * no address bound can be a source for the destination we are in
2636	 * trouble
2637	 */
2638	return (NULL);
2639}
2640
2641
2642
2643static struct sctp_ifa *
2644sctp_choose_boundspecific_stcb(struct sctp_inpcb *inp,
2645			       struct sctp_tcb *stcb,
2646			       sctp_route_t *ro,
2647			       uint32_t vrf_id,
2648			       uint8_t dest_is_priv,
2649			       uint8_t dest_is_loop,
2650			       int non_asoc_addr_ok,
2651			       sa_family_t fam)
2652{
2653	struct sctp_laddr *laddr, *starting_point;
2654	void *ifn;
2655	struct sctp_ifn *sctp_ifn;
2656	struct sctp_ifa *sctp_ifa, *sifa;
2657	uint8_t start_at_beginning = 0;
2658	struct sctp_vrf *vrf;
2659	uint32_t ifn_index;
2660
2661	/*
2662	 * first question, is the ifn we will emit on in our list, if so, we
2663	 * want that one.
2664	 */
2665	vrf = sctp_find_vrf(vrf_id);
2666	if (vrf == NULL)
2667		return (NULL);
2668
2669	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2670	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2671	sctp_ifn = sctp_find_ifn( ifn, ifn_index);
2672
2673	/*
2674	 * first question, is the ifn we will emit on in our list?  If so,
2675	 * we want that one. First we look for a preferred. Second, we go
2676	 * for an acceptable.
2677	 */
2678	if (sctp_ifn) {
2679		/* first try for a preferred address on the ep */
2680		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2681#if defined(__FreeBSD__)
2682#ifdef INET
2683			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2684			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2685			                      &sctp_ifa->address.sin.sin_addr) != 0)) {
2686				continue;
2687			}
2688#endif
2689#ifdef INET6
2690			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2691			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2692			                      &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2693				continue;
2694			}
2695#endif
2696#endif
2697			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2698				continue;
2699			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2700				sifa = sctp_is_ifa_addr_preferred(sctp_ifa, dest_is_loop, dest_is_priv, fam);
2701				if (sifa == NULL)
2702					continue;
2703				if (((non_asoc_addr_ok == 0) &&
2704				     (sctp_is_addr_restricted(stcb, sifa))) ||
2705				    (non_asoc_addr_ok &&
2706				     (sctp_is_addr_restricted(stcb, sifa)) &&
2707				     (!sctp_is_addr_pending(stcb, sifa)))) {
2708					/* on the no-no list */
2709					continue;
2710				}
2711				atomic_add_int(&sifa->refcount, 1);
2712				return (sifa);
2713			}
2714		}
2715		/* next try for an acceptable address on the ep */
2716		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2717#if defined(__FreeBSD__)
2718#ifdef INET
2719			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2720			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2721			                      &sctp_ifa->address.sin.sin_addr) != 0)) {
2722				continue;
2723			}
2724#endif
2725#ifdef INET6
2726			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2727			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2728			                      &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2729				continue;
2730			}
2731#endif
2732#endif
2733			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2734				continue;
2735			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2736				sifa= sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop, dest_is_priv,fam);
2737				if (sifa == NULL)
2738					continue;
2739				if (((non_asoc_addr_ok == 0) &&
2740				     (sctp_is_addr_restricted(stcb, sifa))) ||
2741				    (non_asoc_addr_ok &&
2742				     (sctp_is_addr_restricted(stcb, sifa)) &&
2743				     (!sctp_is_addr_pending(stcb, sifa)))) {
2744					/* on the no-no list */
2745					continue;
2746				}
2747				atomic_add_int(&sifa->refcount, 1);
2748				return (sifa);
2749			}
2750		}
2751
2752	}
2753	/*
2754	 * if we can't find one like that then we must look at all
2755	 * addresses bound to pick one at first preferable then
2756	 * secondly acceptable.
2757	 */
2758	starting_point = stcb->asoc.last_used_address;
2759 sctp_from_the_top:
2760	if (stcb->asoc.last_used_address == NULL) {
2761		start_at_beginning = 1;
2762		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2763	}
2764	/* search beginning with the last used address */
2765	for (laddr = stcb->asoc.last_used_address; laddr;
2766	     laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2767		if (laddr->ifa == NULL) {
2768			/* address has been removed */
2769			continue;
2770		}
2771		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2772			/* address is being deleted */
2773			continue;
2774		}
2775		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop, dest_is_priv, fam);
2776		if (sifa == NULL)
2777			continue;
2778		if (((non_asoc_addr_ok == 0) &&
2779		     (sctp_is_addr_restricted(stcb, sifa))) ||
2780		    (non_asoc_addr_ok &&
2781		     (sctp_is_addr_restricted(stcb, sifa)) &&
2782		     (!sctp_is_addr_pending(stcb, sifa)))) {
2783			/* on the no-no list */
2784			continue;
2785		}
2786		stcb->asoc.last_used_address = laddr;
2787		atomic_add_int(&sifa->refcount, 1);
2788		return (sifa);
2789	}
2790	if (start_at_beginning == 0) {
2791		stcb->asoc.last_used_address = NULL;
2792		goto sctp_from_the_top;
2793	}
2794	/* now try for any higher scope than the destination */
2795	stcb->asoc.last_used_address = starting_point;
2796	start_at_beginning = 0;
2797 sctp_from_the_top2:
2798	if (stcb->asoc.last_used_address == NULL) {
2799		start_at_beginning = 1;
2800		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2801	}
2802	/* search beginning with the last used address */
2803	for (laddr = stcb->asoc.last_used_address; laddr;
2804	     laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2805		if (laddr->ifa == NULL) {
2806			/* address has been removed */
2807			continue;
2808		}
2809		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2810			/* address is being deleted */
2811			continue;
2812		}
2813		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2814						   dest_is_priv, fam);
2815		if (sifa == NULL)
2816			continue;
2817		if (((non_asoc_addr_ok == 0) &&
2818		     (sctp_is_addr_restricted(stcb, sifa))) ||
2819		    (non_asoc_addr_ok &&
2820		     (sctp_is_addr_restricted(stcb, sifa)) &&
2821		     (!sctp_is_addr_pending(stcb, sifa)))) {
2822			/* on the no-no list */
2823			continue;
2824		}
2825		stcb->asoc.last_used_address = laddr;
2826		atomic_add_int(&sifa->refcount, 1);
2827		return (sifa);
2828	}
2829	if (start_at_beginning == 0) {
2830		stcb->asoc.last_used_address = NULL;
2831		goto sctp_from_the_top2;
2832	}
2833	return (NULL);
2834}
2835
2836static struct sctp_ifa *
2837sctp_select_nth_preferred_addr_from_ifn_boundall(struct sctp_ifn *ifn,
2838#if defined(__FreeBSD__)
2839                                                 struct sctp_inpcb *inp,
2840#else
2841                                                 struct sctp_inpcb *inp SCTP_UNUSED,
2842#endif
2843						 struct sctp_tcb *stcb,
2844						 int non_asoc_addr_ok,
2845						 uint8_t dest_is_loop,
2846						 uint8_t dest_is_priv,
2847						 int addr_wanted,
2848						 sa_family_t fam,
2849						 sctp_route_t *ro
2850						 )
2851{
2852	struct sctp_ifa *ifa, *sifa;
2853	int num_eligible_addr = 0;
2854#ifdef INET6
2855#ifdef SCTP_EMBEDDED_V6_SCOPE
2856	struct sockaddr_in6 sin6, lsa6;
2857
2858	if (fam == AF_INET6) {
2859		memcpy(&sin6, &ro->ro_dst, sizeof(struct sockaddr_in6));
2860#ifdef SCTP_KAME
2861		(void)sa6_recoverscope(&sin6);
2862#else
2863		(void)in6_recoverscope(&sin6, &sin6.sin6_addr, NULL);
2864#endif  /* SCTP_KAME */
2865	}
2866#endif  /* SCTP_EMBEDDED_V6_SCOPE */
2867#endif	/* INET6 */
2868	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2869#if defined(__FreeBSD__)
2870#ifdef INET
2871		if ((ifa->address.sa.sa_family == AF_INET) &&
2872		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2873		                      &ifa->address.sin.sin_addr) != 0)) {
2874			continue;
2875		}
2876#endif
2877#ifdef INET6
2878		if ((ifa->address.sa.sa_family == AF_INET6) &&
2879		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2880		                      &ifa->address.sin6.sin6_addr) != 0)) {
2881			continue;
2882		}
2883#endif
2884#endif
2885		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2886		    (non_asoc_addr_ok == 0))
2887			continue;
2888		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
2889						  dest_is_priv, fam);
2890		if (sifa == NULL)
2891			continue;
2892#ifdef INET6
2893		if (fam == AF_INET6 &&
2894		    dest_is_loop &&
2895		    sifa->src_is_loop && sifa->src_is_priv) {
2896			/* don't allow fe80::1 to be a src on loop ::1, we don't list it
2897			 * to the peer so we will get an abort.
2898			 */
2899			continue;
2900		}
2901#ifdef SCTP_EMBEDDED_V6_SCOPE
2902		if (fam == AF_INET6 &&
2903		    IN6_IS_ADDR_LINKLOCAL(&sifa->address.sin6.sin6_addr) &&
2904		    IN6_IS_ADDR_LINKLOCAL(&sin6.sin6_addr)) {
2905			/* link-local <-> link-local must belong to the same scope. */
2906			memcpy(&lsa6, &sifa->address.sin6, sizeof(struct sockaddr_in6));
2907#ifdef SCTP_KAME
2908			(void)sa6_recoverscope(&lsa6);
2909#else
2910			(void)in6_recoverscope(&lsa6, &lsa6.sin6_addr, NULL);
2911#endif  /* SCTP_KAME */
2912			if (sin6.sin6_scope_id != lsa6.sin6_scope_id) {
2913				continue;
2914			}
2915		}
2916#endif  /* SCTP_EMBEDDED_V6_SCOPE */
2917#endif	/* INET6 */
2918
2919#if defined(__FreeBSD__) || defined(__APPLE__) || defined(__Userspace__)
2920		/* Check if the IPv6 address matches to next-hop.
2921		   In the mobile case, old IPv6 address may be not deleted
2922		   from the interface. Then, the interface has previous and
2923		   new addresses.  We should use one corresponding to the
2924		   next-hop.  (by micchie)
2925		 */
2926#ifdef INET6
2927		if (stcb && fam == AF_INET6 &&
2928		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2929			if (sctp_v6src_match_nexthop(&sifa->address.sin6, ro)
2930			    == 0) {
2931				continue;
2932			}
2933		}
2934#endif
2935#ifdef INET
2936		/* Avoid topologically incorrect IPv4 address */
2937		if (stcb && fam == AF_INET &&
2938		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2939			if (sctp_v4src_match_nexthop(sifa, ro) == 0) {
2940				continue;
2941			}
2942		}
2943#endif
2944#endif
2945		if (stcb) {
2946			if (sctp_is_address_in_scope(ifa, &stcb->asoc.scope, 0) == 0) {
2947				continue;
2948			}
2949			if (((non_asoc_addr_ok == 0) &&
2950			     (sctp_is_addr_restricted(stcb, sifa))) ||
2951			    (non_asoc_addr_ok &&
2952			     (sctp_is_addr_restricted(stcb, sifa)) &&
2953			     (!sctp_is_addr_pending(stcb, sifa)))) {
2954				/*
2955				 * It is restricted for some reason..
2956				 * probably not yet added.
2957				 */
2958				continue;
2959			}
2960		}
2961		if (num_eligible_addr >= addr_wanted) {
2962			return (sifa);
2963		}
2964		num_eligible_addr++;
2965	}
2966	return (NULL);
2967}
2968
2969
2970static int
2971sctp_count_num_preferred_boundall(struct sctp_ifn *ifn,
2972#if defined(__FreeBSD__)
2973                                  struct sctp_inpcb *inp,
2974#else
2975                                  struct sctp_inpcb *inp SCTP_UNUSED,
2976#endif
2977				  struct sctp_tcb *stcb,
2978				  int non_asoc_addr_ok,
2979				  uint8_t dest_is_loop,
2980				  uint8_t dest_is_priv,
2981				  sa_family_t fam)
2982{
2983	struct sctp_ifa *ifa, *sifa;
2984	int num_eligible_addr = 0;
2985
2986	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2987#if defined(__FreeBSD__)
2988#ifdef INET
2989		if ((ifa->address.sa.sa_family == AF_INET) &&
2990		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2991		                      &ifa->address.sin.sin_addr) != 0)) {
2992			continue;
2993		}
2994#endif
2995#ifdef INET6
2996		if ((ifa->address.sa.sa_family == AF_INET6) &&
2997		    (stcb != NULL) &&
2998		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2999		                      &ifa->address.sin6.sin6_addr) != 0)) {
3000			continue;
3001		}
3002#endif
3003#endif
3004		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3005		    (non_asoc_addr_ok == 0)) {
3006			continue;
3007		}
3008		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
3009						  dest_is_priv, fam);
3010		if (sifa == NULL) {
3011			continue;
3012		}
3013		if (stcb) {
3014			if (sctp_is_address_in_scope(ifa, &stcb->asoc.scope, 0) == 0) {
3015				continue;
3016			}
3017			if (((non_asoc_addr_ok == 0) &&
3018			     (sctp_is_addr_restricted(stcb, sifa))) ||
3019			    (non_asoc_addr_ok &&
3020			     (sctp_is_addr_restricted(stcb, sifa)) &&
3021			     (!sctp_is_addr_pending(stcb, sifa)))) {
3022				/*
3023				 * It is restricted for some reason..
3024				 * probably not yet added.
3025				 */
3026				continue;
3027			}
3028		}
3029		num_eligible_addr++;
3030	}
3031	return (num_eligible_addr);
3032}
3033
3034static struct sctp_ifa *
3035sctp_choose_boundall(struct sctp_inpcb *inp,
3036                     struct sctp_tcb *stcb,
3037		     struct sctp_nets *net,
3038		     sctp_route_t *ro,
3039		     uint32_t vrf_id,
3040		     uint8_t dest_is_priv,
3041		     uint8_t dest_is_loop,
3042		     int non_asoc_addr_ok,
3043		     sa_family_t fam)
3044{
3045	int cur_addr_num = 0, num_preferred = 0;
3046	void *ifn;
3047	struct sctp_ifn *sctp_ifn, *looked_at = NULL, *emit_ifn;
3048	struct sctp_ifa *sctp_ifa, *sifa;
3049	uint32_t ifn_index;
3050	struct sctp_vrf *vrf;
3051#ifdef INET
3052	int retried = 0;
3053#endif
3054
3055	/*-
3056	 * For boundall we can use any address in the association.
3057	 * If non_asoc_addr_ok is set we can use any address (at least in
3058	 * theory). So we look for preferred addresses first. If we find one,
3059	 * we use it. Otherwise we next try to get an address on the
3060	 * interface, which we should be able to do (unless non_asoc_addr_ok
3061	 * is false and we are routed out that way). In these cases where we
3062	 * can't use the address of the interface we go through all the
3063	 * ifn's looking for an address we can use and fill that in. Punting
3064	 * means we send back address 0, which will probably cause problems
3065	 * actually since then IP will fill in the address of the route ifn,
3066	 * which means we probably already rejected it.. i.e. here comes an
3067	 * abort :-<.
3068	 */
3069	vrf = sctp_find_vrf(vrf_id);
3070	if (vrf == NULL)
3071		return (NULL);
3072
3073	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
3074	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
3075	SCTPDBG(SCTP_DEBUG_OUTPUT2,"ifn from route:%p ifn_index:%d\n", ifn, ifn_index);
3076	emit_ifn = looked_at = sctp_ifn = sctp_find_ifn(ifn, ifn_index);
3077	if (sctp_ifn == NULL) {
3078		/* ?? We don't have this guy ?? */
3079		SCTPDBG(SCTP_DEBUG_OUTPUT2,"No ifn emit interface?\n");
3080		goto bound_all_plan_b;
3081	}
3082	SCTPDBG(SCTP_DEBUG_OUTPUT2,"ifn_index:%d name:%s is emit interface\n",
3083		ifn_index, sctp_ifn->ifn_name);
3084
3085	if (net) {
3086		cur_addr_num = net->indx_of_eligible_next_to_use;
3087	}
3088	num_preferred = sctp_count_num_preferred_boundall(sctp_ifn,
3089							  inp, stcb,
3090							  non_asoc_addr_ok,
3091							  dest_is_loop,
3092							  dest_is_priv, fam);
3093	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Found %d preferred source addresses for intf:%s\n",
3094		num_preferred, sctp_ifn->ifn_name);
3095	if (num_preferred == 0) {
3096		/*
3097		 * no eligible addresses, we must use some other interface
3098		 * address if we can find one.
3099		 */
3100		goto bound_all_plan_b;
3101	}
3102	/*
3103	 * Ok we have num_eligible_addr set with how many we can use, this
3104	 * may vary from call to call due to addresses being deprecated
3105	 * etc..
3106	 */
3107	if (cur_addr_num >= num_preferred) {
3108		cur_addr_num = 0;
3109	}
3110	/*
3111	 * select the nth address from the list (where cur_addr_num is the
3112	 * nth) and 0 is the first one, 1 is the second one etc...
3113	 */
3114	SCTPDBG(SCTP_DEBUG_OUTPUT2, "cur_addr_num:%d\n", cur_addr_num);
3115
3116	sctp_ifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok, dest_is_loop,
3117                                                                    dest_is_priv, cur_addr_num, fam, ro);
3118
3119	/* if sctp_ifa is NULL something changed??, fall to plan b. */
3120	if (sctp_ifa) {
3121		atomic_add_int(&sctp_ifa->refcount, 1);
3122		if (net) {
3123			/* save off where the next one we will want */
3124			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
3125		}
3126		return (sctp_ifa);
3127	}
3128	/*
3129	 * plan_b: Look at all interfaces and find a preferred address. If
3130	 * no preferred fall through to plan_c.
3131	 */
3132 bound_all_plan_b:
3133	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan B\n");
3134	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3135		SCTPDBG(SCTP_DEBUG_OUTPUT2, "Examine interface %s\n",
3136			sctp_ifn->ifn_name);
3137		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3138			/* wrong base scope */
3139			SCTPDBG(SCTP_DEBUG_OUTPUT2, "skip\n");
3140			continue;
3141		}
3142		if ((sctp_ifn == looked_at) && looked_at) {
3143			/* already looked at this guy */
3144			SCTPDBG(SCTP_DEBUG_OUTPUT2, "already seen\n");
3145			continue;
3146		}
3147		num_preferred = sctp_count_num_preferred_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok,
3148                                                                  dest_is_loop, dest_is_priv, fam);
3149		SCTPDBG(SCTP_DEBUG_OUTPUT2,
3150			"Found ifn:%p %d preferred source addresses\n",
3151			ifn, num_preferred);
3152		if (num_preferred == 0) {
3153			/* None on this interface. */
3154			SCTPDBG(SCTP_DEBUG_OUTPUT2, "No prefered -- skipping to next\n");
3155			continue;
3156		}
3157		SCTPDBG(SCTP_DEBUG_OUTPUT2,
3158			"num preferred:%d on interface:%p cur_addr_num:%d\n",
3159			num_preferred, (void *)sctp_ifn, cur_addr_num);
3160
3161		/*
3162		 * Ok we have num_eligible_addr set with how many we can
3163		 * use, this may vary from call to call due to addresses
3164		 * being deprecated etc..
3165		 */
3166		if (cur_addr_num >= num_preferred) {
3167			cur_addr_num = 0;
3168		}
3169		sifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok, dest_is_loop,
3170                                                                        dest_is_priv, cur_addr_num, fam, ro);
3171		if (sifa == NULL)
3172			continue;
3173		if (net) {
3174			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
3175			SCTPDBG(SCTP_DEBUG_OUTPUT2, "we selected %d\n",
3176				cur_addr_num);
3177			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Source:");
3178			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
3179			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Dest:");
3180			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &net->ro._l_addr.sa);
3181		}
3182		atomic_add_int(&sifa->refcount, 1);
3183		return (sifa);
3184	}
3185#ifdef INET
3186again_with_private_addresses_allowed:
3187#endif
3188	/* plan_c: do we have an acceptable address on the emit interface */
3189	sifa = NULL;
3190	SCTPDBG(SCTP_DEBUG_OUTPUT2,"Trying Plan C: find acceptable on interface\n");
3191	if (emit_ifn == NULL) {
3192		SCTPDBG(SCTP_DEBUG_OUTPUT2,"Jump to Plan D - no emit_ifn\n");
3193		goto plan_d;
3194	}
3195	LIST_FOREACH(sctp_ifa, &emit_ifn->ifalist, next_ifa) {
3196		SCTPDBG(SCTP_DEBUG_OUTPUT2, "ifa:%p\n", (void *)sctp_ifa);
3197#if defined(__FreeBSD__)
3198#ifdef INET
3199		if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3200		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3201		                      &sctp_ifa->address.sin.sin_addr) != 0)) {
3202			SCTPDBG(SCTP_DEBUG_OUTPUT2,"Jailed\n");
3203			continue;
3204		}
3205#endif
3206#ifdef INET6
3207		if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3208		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3209		                      &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3210			SCTPDBG(SCTP_DEBUG_OUTPUT2,"Jailed\n");
3211			continue;
3212		}
3213#endif
3214#endif
3215		if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3216		    (non_asoc_addr_ok == 0)) {
3217			SCTPDBG(SCTP_DEBUG_OUTPUT2,"Defer\n");
3218			continue;
3219		}
3220		sifa = sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop,
3221						   dest_is_priv, fam);
3222		if (sifa == NULL) {
3223			SCTPDBG(SCTP_DEBUG_OUTPUT2, "IFA not acceptable\n");
3224			continue;
3225		}
3226		if (stcb) {
3227			if (sctp_is_address_in_scope(sifa, &stcb->asoc.scope, 0) == 0) {
3228				SCTPDBG(SCTP_DEBUG_OUTPUT2, "NOT in scope\n");
3229				sifa = NULL;
3230				continue;
3231			}
3232			if (((non_asoc_addr_ok == 0) &&
3233			     (sctp_is_addr_restricted(stcb, sifa))) ||
3234			    (non_asoc_addr_ok &&
3235			     (sctp_is_addr_restricted(stcb, sifa)) &&
3236			     (!sctp_is_addr_pending(stcb, sifa)))) {
3237				/*
3238				 * It is restricted for some
3239				 * reason.. probably not yet added.
3240				 */
3241				SCTPDBG(SCTP_DEBUG_OUTPUT2, "Its resticted\n");
3242				sifa = NULL;
3243				continue;
3244			}
3245		} else {
3246			SCTP_PRINTF("Stcb is null - no print\n");
3247		}
3248		atomic_add_int(&sifa->refcount, 1);
3249		goto out;
3250	}
3251 plan_d:
3252	/*
3253	 * plan_d: We are in trouble. No preferred address on the emit
3254	 * interface. And not even a preferred address on all interfaces.
3255	 * Go out and see if we can find an acceptable address somewhere
3256	 * amongst all interfaces.
3257	 */
3258	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan D looked_at is %p\n", (void *)looked_at);
3259	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3260		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3261			/* wrong base scope */
3262			continue;
3263		}
3264		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
3265#if defined(__FreeBSD__)
3266#ifdef INET
3267			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3268			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3269			                      &sctp_ifa->address.sin.sin_addr) != 0)) {
3270				continue;
3271			}
3272#endif
3273#ifdef INET6
3274			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3275			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3276			                      &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3277				continue;
3278			}
3279#endif
3280#endif
3281			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3282			    (non_asoc_addr_ok == 0))
3283				continue;
3284			sifa = sctp_is_ifa_addr_acceptable(sctp_ifa,
3285							   dest_is_loop,
3286							   dest_is_priv, fam);
3287			if (sifa == NULL)
3288				continue;
3289			if (stcb) {
3290				if (sctp_is_address_in_scope(sifa, &stcb->asoc.scope, 0) == 0) {
3291					sifa = NULL;
3292					continue;
3293				}
3294				if (((non_asoc_addr_ok == 0) &&
3295				     (sctp_is_addr_restricted(stcb, sifa))) ||
3296				    (non_asoc_addr_ok &&
3297				     (sctp_is_addr_restricted(stcb, sifa)) &&
3298				     (!sctp_is_addr_pending(stcb, sifa)))) {
3299					/*
3300					 * It is restricted for some
3301					 * reason.. probably not yet added.
3302					 */
3303					sifa = NULL;
3304					continue;
3305				}
3306			}
3307			goto out;
3308		}
3309	}
3310#ifdef INET
3311	if ((retried == 0) && (stcb->asoc.scope.ipv4_local_scope == 0)) {
3312		stcb->asoc.scope.ipv4_local_scope = 1;
3313		retried = 1;
3314		goto again_with_private_addresses_allowed;
3315	} else if (retried == 1) {
3316		stcb->asoc.scope.ipv4_local_scope = 0;
3317	}
3318#endif
3319out:
3320#ifdef INET
3321	if (sifa) {
3322		if (retried == 1) {
3323			LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3324				if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3325					/* wrong base scope */
3326					continue;
3327				}
3328				LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
3329					struct sctp_ifa *tmp_sifa;
3330
3331#if defined(__FreeBSD__)
3332#ifdef INET
3333					if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3334					    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3335					                      &sctp_ifa->address.sin.sin_addr) != 0)) {
3336						continue;
3337					}
3338#endif
3339#ifdef INET6
3340					if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3341					    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3342					                      &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3343						continue;
3344					}
3345#endif
3346#endif
3347					if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3348					    (non_asoc_addr_ok == 0))
3349						continue;
3350					tmp_sifa = sctp_is_ifa_addr_acceptable(sctp_ifa,
3351					                                       dest_is_loop,
3352					                                       dest_is_priv, fam);
3353					if (tmp_sifa == NULL) {
3354						continue;
3355					}
3356					if (tmp_sifa == sifa) {
3357						continue;
3358					}
3359					if (stcb) {
3360						if (sctp_is_address_in_scope(tmp_sifa,
3361						                             &stcb->asoc.scope, 0) == 0) {
3362							continue;
3363						}
3364						if (((non_asoc_addr_ok == 0) &&
3365						     (sctp_is_addr_restricted(stcb, tmp_sifa))) ||
3366						    (non_asoc_addr_ok &&
3367						     (sctp_is_addr_restricted(stcb, tmp_sifa)) &&
3368						     (!sctp_is_addr_pending(stcb, tmp_sifa)))) {
3369							/*
3370							 * It is restricted for some
3371							 * reason.. probably not yet added.
3372							 */
3373							continue;
3374						}
3375					}
3376					if ((tmp_sifa->address.sin.sin_family == AF_INET) &&
3377					    (IN4_ISPRIVATE_ADDRESS(&(tmp_sifa->address.sin.sin_addr)))) {
3378						sctp_add_local_addr_restricted(stcb, tmp_sifa);
3379					}
3380				}
3381			}
3382		}
3383		atomic_add_int(&sifa->refcount, 1);
3384	}
3385#endif
3386	return (sifa);
3387}
3388
3389
3390
3391/* tcb may be NULL */
3392struct sctp_ifa *
3393sctp_source_address_selection(struct sctp_inpcb *inp,
3394			      struct sctp_tcb *stcb,
3395			      sctp_route_t *ro,
3396			      struct sctp_nets *net,
3397			      int non_asoc_addr_ok, uint32_t vrf_id)
3398{
3399	struct sctp_ifa *answer;
3400	uint8_t dest_is_priv, dest_is_loop;
3401	sa_family_t fam;
3402#ifdef INET
3403	struct sockaddr_in *to = (struct sockaddr_in *)&ro->ro_dst;
3404#endif
3405#ifdef INET6
3406	struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&ro->ro_dst;
3407#endif
3408
3409	/**
3410	 * Rules: - Find the route if needed, cache if I can. - Look at
3411	 * interface address in route, Is it in the bound list. If so we
3412	 * have the best source. - If not we must rotate amongst the
3413	 * addresses.
3414	 *
3415	 * Cavets and issues
3416	 *
3417	 * Do we need to pay attention to scope. We can have a private address
3418	 * or a global address we are sourcing or sending to. So if we draw
3419	 * it out
3420	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3421	 * For V4
3422	 * ------------------------------------------
3423	 *      source     *      dest  *  result
3424	 * -----------------------------------------
3425	 * <a>  Private    *    Global  *  NAT
3426	 * -----------------------------------------
3427	 * <b>  Private    *    Private *  No problem
3428	 * -----------------------------------------
3429	 * <c>  Global     *    Private *  Huh, How will this work?
3430	 * -----------------------------------------
3431	 * <d>  Global     *    Global  *  No Problem
3432	 *------------------------------------------
3433	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3434	 * For V6
3435	 *------------------------------------------
3436	 *      source     *      dest  *  result
3437	 * -----------------------------------------
3438	 * <a>  Linklocal  *    Global  *
3439	 * -----------------------------------------
3440	 * <b>  Linklocal  * Linklocal  *  No problem
3441	 * -----------------------------------------
3442	 * <c>  Global     * Linklocal  *  Huh, How will this work?
3443	 * -----------------------------------------
3444	 * <d>  Global     *    Global  *  No Problem
3445	 *------------------------------------------
3446	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3447	 *
3448	 * And then we add to that what happens if there are multiple addresses
3449	 * assigned to an interface. Remember the ifa on a ifn is a linked
3450	 * list of addresses. So one interface can have more than one IP
3451	 * address. What happens if we have both a private and a global
3452	 * address? Do we then use context of destination to sort out which
3453	 * one is best? And what about NAT's sending P->G may get you a NAT
3454	 * translation, or should you select the G thats on the interface in
3455	 * preference.
3456	 *
3457	 * Decisions:
3458	 *
3459	 * - count the number of addresses on the interface.
3460	 * - if it is one, no problem except case <c>.
3461	 *   For <a> we will assume a NAT out there.
3462	 * - if there are more than one, then we need to worry about scope P
3463	 *   or G. We should prefer G -> G and P -> P if possible.
3464	 *   Then as a secondary fall back to mixed types G->P being a last
3465	 *   ditch one.
3466	 * - The above all works for bound all, but bound specific we need to
3467	 *   use the same concept but instead only consider the bound
3468	 *   addresses. If the bound set is NOT assigned to the interface then
3469	 *   we must use rotation amongst the bound addresses..
3470	 */
3471	if (ro->ro_rt == NULL) {
3472		/*
3473		 * Need a route to cache.
3474		 */
3475		SCTP_RTALLOC(ro, vrf_id);
3476	}
3477	if (ro->ro_rt == NULL) {
3478		return (NULL);
3479	}
3480	fam = ro->ro_dst.sa_family;
3481	dest_is_priv = dest_is_loop = 0;
3482	/* Setup our scopes for the destination */
3483	switch (fam) {
3484#ifdef INET
3485	case AF_INET:
3486		/* Scope based on outbound address */
3487		if (IN4_ISLOOPBACK_ADDRESS(&to->sin_addr)) {
3488			dest_is_loop = 1;
3489			if (net != NULL) {
3490				/* mark it as local */
3491				net->addr_is_local = 1;
3492			}
3493		} else if ((IN4_ISPRIVATE_ADDRESS(&to->sin_addr))) {
3494			dest_is_priv = 1;
3495		}
3496		break;
3497#endif
3498#ifdef INET6
3499	case AF_INET6:
3500		/* Scope based on outbound address */
3501#if defined(__Userspace_os_Windows)
3502		if (IN6_IS_ADDR_LOOPBACK(&to6->sin6_addr)) {
3503#else
3504		if (IN6_IS_ADDR_LOOPBACK(&to6->sin6_addr) ||
3505		    SCTP_ROUTE_IS_REAL_LOOP(ro)) {
3506#endif
3507			/*
3508			 * If the address is a loopback address, which
3509			 * consists of "::1" OR "fe80::1%lo0", we are loopback
3510			 * scope. But we don't use dest_is_priv (link local
3511			 * addresses).
3512			 */
3513			dest_is_loop = 1;
3514			if (net != NULL) {
3515				/* mark it as local */
3516				net->addr_is_local = 1;
3517			}
3518		} else if (IN6_IS_ADDR_LINKLOCAL(&to6->sin6_addr)) {
3519			dest_is_priv = 1;
3520		}
3521		break;
3522#endif
3523	}
3524	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Select source addr for:");
3525	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)&ro->ro_dst);
3526	SCTP_IPI_ADDR_RLOCK();
3527	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
3528		/*
3529		 * Bound all case
3530		 */
3531		answer = sctp_choose_boundall(inp, stcb, net, ro, vrf_id,
3532					      dest_is_priv, dest_is_loop,
3533					      non_asoc_addr_ok, fam);
3534		SCTP_IPI_ADDR_RUNLOCK();
3535		return (answer);
3536	}
3537	/*
3538	 * Subset bound case
3539	 */
3540	if (stcb) {
3541		answer = sctp_choose_boundspecific_stcb(inp, stcb, ro,
3542							vrf_id,	dest_is_priv,
3543							dest_is_loop,
3544							non_asoc_addr_ok, fam);
3545	} else {
3546		answer = sctp_choose_boundspecific_inp(inp, ro, vrf_id,
3547						       non_asoc_addr_ok,
3548						       dest_is_priv,
3549						       dest_is_loop, fam);
3550	}
3551	SCTP_IPI_ADDR_RUNLOCK();
3552	return (answer);
3553}
3554
3555static int
3556sctp_find_cmsg(int c_type, void *data, struct mbuf *control, size_t cpsize)
3557{
3558#if defined(__Userspace_os_Windows)
3559	WSACMSGHDR cmh;
3560#else
3561	struct cmsghdr cmh;
3562#endif
3563	int tlen, at, found;
3564	struct sctp_sndinfo sndinfo;
3565	struct sctp_prinfo prinfo;
3566	struct sctp_authinfo authinfo;
3567
3568	tlen = SCTP_BUF_LEN(control);
3569	at = 0;
3570	found = 0;
3571	/*
3572	 * Independent of how many mbufs, find the c_type inside the control
3573	 * structure and copy out the data.
3574	 */
3575	while (at < tlen) {
3576		if ((tlen - at) < (int)CMSG_ALIGN(sizeof(cmh))) {
3577			/* There is not enough room for one more. */
3578			return (found);
3579		}
3580		m_copydata(control, at, sizeof(cmh), (caddr_t)&cmh);
3581		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3582			/* We dont't have a complete CMSG header. */
3583			return (found);
3584		}
3585		if (((int)cmh.cmsg_len + at) > tlen) {
3586			/* We don't have the complete CMSG. */
3587			return (found);
3588		}
3589		if ((cmh.cmsg_level == IPPROTO_SCTP) &&
3590		    ((c_type == cmh.cmsg_type) ||
3591		     ((c_type == SCTP_SNDRCV) &&
3592		      ((cmh.cmsg_type == SCTP_SNDINFO) ||
3593		       (cmh.cmsg_type == SCTP_PRINFO) ||
3594		       (cmh.cmsg_type == SCTP_AUTHINFO))))) {
3595			if (c_type == cmh.cmsg_type) {
3596				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < cpsize) {
3597					return (found);
3598				}
3599				/* It is exactly what we want. Copy it out. */
3600				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), cpsize, (caddr_t)data);
3601				return (1);
3602			} else {
3603				struct sctp_sndrcvinfo *sndrcvinfo;
3604
3605				sndrcvinfo = (struct sctp_sndrcvinfo *)data;
3606				if (found == 0) {
3607					if (cpsize < sizeof(struct sctp_sndrcvinfo)) {
3608						return (found);
3609					}
3610					memset(sndrcvinfo, 0, sizeof(struct sctp_sndrcvinfo));
3611				}
3612				switch (cmh.cmsg_type) {
3613				case SCTP_SNDINFO:
3614					if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_sndinfo)) {
3615						return (found);
3616					}
3617					m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_sndinfo), (caddr_t)&sndinfo);
3618					sndrcvinfo->sinfo_stream = sndinfo.snd_sid;
3619					sndrcvinfo->sinfo_flags = sndinfo.snd_flags;
3620					sndrcvinfo->sinfo_ppid = sndinfo.snd_ppid;
3621					sndrcvinfo->sinfo_context = sndinfo.snd_context;
3622					sndrcvinfo->sinfo_assoc_id = sndinfo.snd_assoc_id;
3623					break;
3624				case SCTP_PRINFO:
3625					if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_prinfo)) {
3626						return (found);
3627					}
3628					m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_prinfo), (caddr_t)&prinfo);
3629					if (prinfo.pr_policy != SCTP_PR_SCTP_NONE) {
3630						sndrcvinfo->sinfo_timetolive = prinfo.pr_value;
3631					} else {
3632						sndrcvinfo->sinfo_timetolive = 0;
3633					}
3634					sndrcvinfo->sinfo_flags |= prinfo.pr_policy;
3635					break;
3636				case SCTP_AUTHINFO:
3637					if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_authinfo)) {
3638						return (found);
3639					}
3640					m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_authinfo), (caddr_t)&authinfo);
3641					sndrcvinfo->sinfo_keynumber_valid = 1;
3642					sndrcvinfo->sinfo_keynumber = authinfo.auth_keynumber;
3643					break;
3644				default:
3645					return (found);
3646				}
3647				found = 1;
3648			}
3649		}
3650		at += CMSG_ALIGN(cmh.cmsg_len);
3651	}
3652	return (found);
3653}
3654
3655static int
3656sctp_process_cmsgs_for_init(struct sctp_tcb *stcb, struct mbuf *control, int *error)
3657{
3658#if defined(__Userspace_os_Windows)
3659	WSACMSGHDR cmh;
3660#else
3661	struct cmsghdr cmh;
3662#endif
3663	int tlen, at;
3664	struct sctp_initmsg initmsg;
3665#ifdef INET
3666	struct sockaddr_in sin;
3667#endif
3668#ifdef INET6
3669	struct sockaddr_in6 sin6;
3670#endif
3671
3672	tlen = SCTP_BUF_LEN(control);
3673	at = 0;
3674	while (at < tlen) {
3675		if ((tlen - at) < (int)CMSG_ALIGN(sizeof(cmh))) {
3676			/* There is not enough room for one more. */
3677			*error = EINVAL;
3678			return (1);
3679		}
3680		m_copydata(control, at, sizeof(cmh), (caddr_t)&cmh);
3681		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3682			/* We dont't have a complete CMSG header. */
3683			*error = EINVAL;
3684			return (1);
3685		}
3686		if (((int)cmh.cmsg_len + at) > tlen) {
3687			/* We don't have the complete CMSG. */
3688			*error = EINVAL;
3689			return (1);
3690		}
3691		if (cmh.cmsg_level == IPPROTO_SCTP) {
3692			switch (cmh.cmsg_type) {
3693			case SCTP_INIT:
3694				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_initmsg)) {
3695					*error = EINVAL;
3696					return (1);
3697				}
3698				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_initmsg), (caddr_t)&initmsg);
3699				if (initmsg.sinit_max_attempts)
3700					stcb->asoc.max_init_times = initmsg.sinit_max_attempts;
3701				if (initmsg.sinit_num_ostreams)
3702					stcb->asoc.pre_open_streams = initmsg.sinit_num_ostreams;
3703				if (initmsg.sinit_max_instreams)
3704					stcb->asoc.max_inbound_streams = initmsg.sinit_max_instreams;
3705				if (initmsg.sinit_max_init_timeo)
3706					stcb->asoc.initial_init_rto_max = initmsg.sinit_max_init_timeo;
3707				if (stcb->asoc.streamoutcnt < stcb->asoc.pre_open_streams) {
3708					struct sctp_stream_out *tmp_str;
3709					unsigned int i;
3710#if defined(SCTP_DETAILED_STR_STATS)
3711					int j;
3712#endif
3713
3714					/* Default is NOT correct */
3715					SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, default:%d pre_open:%d\n",
3716						stcb->asoc.streamoutcnt, stcb->asoc.pre_open_streams);
3717					SCTP_TCB_UNLOCK(stcb);
3718					SCTP_MALLOC(tmp_str,
3719					            struct sctp_stream_out *,
3720					            (stcb->asoc.pre_open_streams * sizeof(struct sctp_stream_out)),
3721					            SCTP_M_STRMO);
3722					SCTP_TCB_LOCK(stcb);
3723					if (tmp_str != NULL) {
3724						SCTP_FREE(stcb->asoc.strmout, SCTP_M_STRMO);
3725						stcb->asoc.strmout = tmp_str;
3726						stcb->asoc.strm_realoutsize = stcb->asoc.streamoutcnt = stcb->asoc.pre_open_streams;
3727					} else {
3728						stcb->asoc.pre_open_streams = stcb->asoc.streamoutcnt;
3729					}
3730					for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3731						TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
3732						stcb->asoc.strmout[i].chunks_on_queues = 0;
3733						stcb->asoc.strmout[i].next_sequence_send = 0;
3734#if defined(SCTP_DETAILED_STR_STATS)
3735						for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
3736							stcb->asoc.strmout[i].abandoned_sent[j] = 0;
3737							stcb->asoc.strmout[i].abandoned_unsent[j] = 0;
3738						}
3739#else
3740						stcb->asoc.strmout[i].abandoned_sent[0] = 0;
3741						stcb->asoc.strmout[i].abandoned_unsent[0] = 0;
3742#endif
3743						stcb->asoc.strmout[i].stream_no = i;
3744						stcb->asoc.strmout[i].last_msg_incomplete = 0;
3745						stcb->asoc.ss_functions.sctp_ss_init_stream(&stcb->asoc.strmout[i], NULL);
3746					}
3747				}
3748				break;
3749#ifdef INET
3750			case SCTP_DSTADDRV4:
3751				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in_addr)) {
3752					*error = EINVAL;
3753					return (1);
3754				}
3755				memset(&sin, 0, sizeof(struct sockaddr_in));
3756				sin.sin_family = AF_INET;
3757#ifdef HAVE_SIN_LEN
3758				sin.sin_len = sizeof(struct sockaddr_in);
3759#endif
3760				sin.sin_port = stcb->rport;
3761				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in_addr), (caddr_t)&sin.sin_addr);
3762				if ((sin.sin_addr.s_addr == INADDR_ANY) ||
3763				    (sin.sin_addr.s_addr == INADDR_BROADCAST) ||
3764				    IN_MULTICAST(ntohl(sin.sin_addr.s_addr))) {
3765					*error = EINVAL;
3766					return (1);
3767				}
3768				if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin, NULL,
3769				                         SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3770					*error = ENOBUFS;
3771					return (1);
3772				}
3773				break;
3774#endif
3775#ifdef INET6
3776			case SCTP_DSTADDRV6:
3777				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in6_addr)) {
3778					*error = EINVAL;
3779					return (1);
3780				}
3781				memset(&sin6, 0, sizeof(struct sockaddr_in6));
3782				sin6.sin6_family = AF_INET6;
3783#ifdef HAVE_SIN6_LEN
3784				sin6.sin6_len = sizeof(struct sockaddr_in6);
3785#endif
3786				sin6.sin6_port = stcb->rport;
3787				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in6_addr), (caddr_t)&sin6.sin6_addr);
3788				if (IN6_IS_ADDR_UNSPECIFIED(&sin6.sin6_addr) ||
3789				    IN6_IS_ADDR_MULTICAST(&sin6.sin6_addr)) {
3790					*error = EINVAL;
3791					return (1);
3792				}
3793#ifdef INET
3794				if (IN6_IS_ADDR_V4MAPPED(&sin6.sin6_addr)) {
3795					in6_sin6_2_sin(&sin, &sin6);
3796					if ((sin.sin_addr.s_addr == INADDR_ANY) ||
3797					    (sin.sin_addr.s_addr == INADDR_BROADCAST) ||
3798					    IN_MULTICAST(ntohl(sin.sin_addr.s_addr))) {
3799						*error = EINVAL;
3800						return (1);
3801					}
3802					if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin, NULL,
3803					                         SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3804						*error = ENOBUFS;
3805						return (1);
3806					}
3807				} else
3808#endif
3809					if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin6, NULL,
3810					                         SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3811						*error = ENOBUFS;
3812						return (1);
3813					}
3814				break;
3815#endif
3816			default:
3817				break;
3818			}
3819		}
3820		at += CMSG_ALIGN(cmh.cmsg_len);
3821	}
3822	return (0);
3823}
3824
3825static struct sctp_tcb *
3826sctp_findassociation_cmsgs(struct sctp_inpcb **inp_p,
3827                           uint16_t port,
3828                           struct mbuf *control,
3829                           struct sctp_nets **net_p,
3830                           int *error)
3831{
3832#if defined(__Userspace_os_Windows)
3833	WSACMSGHDR cmh;
3834#else
3835	struct cmsghdr cmh;
3836#endif
3837	int tlen, at;
3838	struct sctp_tcb *stcb;
3839	struct sockaddr *addr;
3840#ifdef INET
3841	struct sockaddr_in sin;
3842#endif
3843#ifdef INET6
3844	struct sockaddr_in6 sin6;
3845#endif
3846
3847	tlen = SCTP_BUF_LEN(control);
3848	at = 0;
3849	while (at < tlen) {
3850		if ((tlen - at) < (int)CMSG_ALIGN(sizeof(cmh))) {
3851			/* There is not enough room for one more. */
3852			*error = EINVAL;
3853			return (NULL);
3854		}
3855		m_copydata(control, at, sizeof(cmh), (caddr_t)&cmh);
3856		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3857			/* We dont't have a complete CMSG header. */
3858			*error = EINVAL;
3859			return (NULL);
3860		}
3861		if (((int)cmh.cmsg_len + at) > tlen) {
3862			/* We don't have the complete CMSG. */
3863			*error = EINVAL;
3864			return (NULL);
3865		}
3866		if (cmh.cmsg_level == IPPROTO_SCTP) {
3867			switch (cmh.cmsg_type) {
3868#ifdef INET
3869			case SCTP_DSTADDRV4:
3870				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in_addr)) {
3871					*error = EINVAL;
3872					return (NULL);
3873				}
3874				memset(&sin, 0, sizeof(struct sockaddr_in));
3875				sin.sin_family = AF_INET;
3876#ifdef HAVE_SIN_LEN
3877				sin.sin_len = sizeof(struct sockaddr_in);
3878#endif
3879				sin.sin_port = port;
3880				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in_addr), (caddr_t)&sin.sin_addr);
3881				addr = (struct sockaddr *)&sin;
3882				break;
3883#endif
3884#ifdef INET6
3885			case SCTP_DSTADDRV6:
3886				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in6_addr)) {
3887					*error = EINVAL;
3888					return (NULL);
3889				}
3890				memset(&sin6, 0, sizeof(struct sockaddr_in6));
3891				sin6.sin6_family = AF_INET6;
3892#ifdef HAVE_SIN6_LEN
3893				sin6.sin6_len = sizeof(struct sockaddr_in6);
3894#endif
3895				sin6.sin6_port = port;
3896				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in6_addr), (caddr_t)&sin6.sin6_addr);
3897#ifdef INET
3898				if (IN6_IS_ADDR_V4MAPPED(&sin6.sin6_addr)) {
3899					in6_sin6_2_sin(&sin, &sin6);
3900					addr = (struct sockaddr *)&sin;
3901				} else
3902#endif
3903					addr = (struct sockaddr *)&sin6;
3904				break;
3905#endif
3906			default:
3907				addr = NULL;
3908				break;
3909			}
3910			if (addr) {
3911				stcb = sctp_findassociation_ep_addr(inp_p, addr, net_p, NULL, NULL);
3912				if (stcb != NULL) {
3913					return (stcb);
3914				}
3915			}
3916		}
3917		at += CMSG_ALIGN(cmh.cmsg_len);
3918	}
3919	return (NULL);
3920}
3921
3922static struct mbuf *
3923sctp_add_cookie(struct mbuf *init, int init_offset,
3924    struct mbuf *initack, int initack_offset, struct sctp_state_cookie *stc_in, uint8_t **signature)
3925{
3926	struct mbuf *copy_init, *copy_initack, *m_at, *sig, *mret;
3927	struct sctp_state_cookie *stc;
3928	struct sctp_paramhdr *ph;
3929	uint8_t *foo;
3930	int sig_offset;
3931	uint16_t cookie_sz;
3932
3933	mret = sctp_get_mbuf_for_msg((sizeof(struct sctp_state_cookie) +
3934				      sizeof(struct sctp_paramhdr)), 0,
3935				     M_NOWAIT, 1, MT_DATA);
3936	if (mret == NULL) {
3937		return (NULL);
3938	}
3939	copy_init = SCTP_M_COPYM(init, init_offset, M_COPYALL, M_NOWAIT);
3940	if (copy_init == NULL) {
3941		sctp_m_freem(mret);
3942		return (NULL);
3943	}
3944#ifdef SCTP_MBUF_LOGGING
3945	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3946		struct mbuf *mat;
3947
3948		for (mat = copy_init; mat; mat = SCTP_BUF_NEXT(mat)) {
3949			if (SCTP_BUF_IS_EXTENDED(mat)) {
3950				sctp_log_mb(mat, SCTP_MBUF_ICOPY);
3951			}
3952		}
3953	}
3954#endif
3955	copy_initack = SCTP_M_COPYM(initack, initack_offset, M_COPYALL,
3956	    M_NOWAIT);
3957	if (copy_initack == NULL) {
3958		sctp_m_freem(mret);
3959		sctp_m_freem(copy_init);
3960		return (NULL);
3961	}
3962#ifdef SCTP_MBUF_LOGGING
3963	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3964		struct mbuf *mat;
3965
3966		for (mat = copy_initack; mat; mat = SCTP_BUF_NEXT(mat)) {
3967			if (SCTP_BUF_IS_EXTENDED(mat)) {
3968				sctp_log_mb(mat, SCTP_MBUF_ICOPY);
3969			}
3970		}
3971	}
3972#endif
3973	/* easy side we just drop it on the end */
3974	ph = mtod(mret, struct sctp_paramhdr *);
3975	SCTP_BUF_LEN(mret) = sizeof(struct sctp_state_cookie) +
3976	    sizeof(struct sctp_paramhdr);
3977	stc = (struct sctp_state_cookie *)((caddr_t)ph +
3978	    sizeof(struct sctp_paramhdr));
3979	ph->param_type = htons(SCTP_STATE_COOKIE);
3980	ph->param_length = 0;	/* fill in at the end */
3981	/* Fill in the stc cookie data */
3982	memcpy(stc, stc_in, sizeof(struct sctp_state_cookie));
3983
3984	/* tack the INIT and then the INIT-ACK onto the chain */
3985	cookie_sz = 0;
3986	for (m_at = mret; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3987		cookie_sz += SCTP_BUF_LEN(m_at);
3988		if (SCTP_BUF_NEXT(m_at) == NULL) {
3989			SCTP_BUF_NEXT(m_at) = copy_init;
3990			break;
3991		}
3992	}
3993	for (m_at = copy_init; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3994		cookie_sz += SCTP_BUF_LEN(m_at);
3995		if (SCTP_BUF_NEXT(m_at) == NULL) {
3996			SCTP_BUF_NEXT(m_at) = copy_initack;
3997			break;
3998		}
3999	}
4000	for (m_at = copy_initack; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
4001		cookie_sz += SCTP_BUF_LEN(m_at);
4002		if (SCTP_BUF_NEXT(m_at) == NULL) {
4003			break;
4004		}
4005	}
4006	sig = sctp_get_mbuf_for_msg(SCTP_SECRET_SIZE, 0, M_NOWAIT, 1, MT_DATA);
4007	if (sig == NULL) {
4008		/* no space, so free the entire chain */
4009		sctp_m_freem(mret);
4010		return (NULL);
4011	}
4012	SCTP_BUF_LEN(sig) = 0;
4013	SCTP_BUF_NEXT(m_at) = sig;
4014	sig_offset = 0;
4015	foo = (uint8_t *) (mtod(sig, caddr_t) + sig_offset);
4016	memset(foo, 0, SCTP_SIGNATURE_SIZE);
4017	*signature = foo;
4018	SCTP_BUF_LEN(sig) += SCTP_SIGNATURE_SIZE;
4019	cookie_sz += SCTP_SIGNATURE_SIZE;
4020	ph->param_length = htons(cookie_sz);
4021	return (mret);
4022}
4023
4024
4025static uint8_t
4026sctp_get_ect(struct sctp_tcb *stcb)
4027{
4028	if ((stcb != NULL) && (stcb->asoc.ecn_supported == 1)) {
4029		return (SCTP_ECT0_BIT);
4030	} else {
4031		return (0);
4032	}
4033}
4034
4035#if defined(INET) || defined(INET6)
4036static void
4037sctp_handle_no_route(struct sctp_tcb *stcb,
4038                     struct sctp_nets *net,
4039                     int so_locked)
4040{
4041	SCTPDBG(SCTP_DEBUG_OUTPUT1, "dropped packet - no valid source addr\n");
4042
4043	if (net) {
4044		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Destination was ");
4045		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT1, &net->ro._l_addr.sa);
4046		if (net->dest_state & SCTP_ADDR_CONFIRMED) {
4047			if ((net->dest_state & SCTP_ADDR_REACHABLE) && stcb) {
4048				SCTPDBG(SCTP_DEBUG_OUTPUT1, "no route takes interface %p down\n", (void *)net);
4049				sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_DOWN,
4050			                        stcb, 0,
4051			                        (void *)net,
4052			                        so_locked);
4053				net->dest_state &= ~SCTP_ADDR_REACHABLE;
4054				net->dest_state &= ~SCTP_ADDR_PF;
4055			}
4056		}
4057		if (stcb) {
4058			if (net == stcb->asoc.primary_destination) {
4059				/* need a new primary */
4060				struct sctp_nets *alt;
4061
4062				alt = sctp_find_alternate_net(stcb, net, 0);
4063				if (alt != net) {
4064					if (stcb->asoc.alternate) {
4065						sctp_free_remote_addr(stcb->asoc.alternate);
4066					}
4067					stcb->asoc.alternate = alt;
4068					atomic_add_int(&stcb->asoc.alternate->ref_count, 1);
4069					if (net->ro._s_addr) {
4070						sctp_free_ifa(net->ro._s_addr);
4071						net->ro._s_addr = NULL;
4072					}
4073					net->src_addr_selected = 0;
4074				}
4075			}
4076		}
4077	}
4078}
4079#endif
4080
4081static int
4082sctp_lowlevel_chunk_output(struct sctp_inpcb *inp,
4083    struct sctp_tcb *stcb,	/* may be NULL */
4084    struct sctp_nets *net,
4085    struct sockaddr *to,
4086    struct mbuf *m,
4087    uint32_t auth_offset,
4088    struct sctp_auth_chunk *auth,
4089    uint16_t auth_keyid,
4090    int nofragment_flag,
4091    int ecn_ok,
4092    int out_of_asoc_ok,
4093    uint16_t src_port,
4094    uint16_t dest_port,
4095    uint32_t v_tag,
4096    uint16_t port,
4097    union sctp_sockstore *over_addr,
4098#if defined(__FreeBSD__)
4099    uint8_t use_mflowid, uint32_t mflowid,
4100#endif
4101#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
4102    int so_locked SCTP_UNUSED
4103#else
4104    int so_locked
4105#endif
4106    )
4107/* nofragment_flag to tell if IP_DF should be set (IPv4 only) */
4108{
4109	/**
4110	 * Given a mbuf chain (via SCTP_BUF_NEXT()) that holds a packet header
4111	 * WITH an SCTPHDR but no IP header, endpoint inp and sa structure:
4112	 * - fill in the HMAC digest of any AUTH chunk in the packet.
4113	 * - calculate and fill in the SCTP checksum.
4114	 * - prepend an IP address header.
4115	 * - if boundall use INADDR_ANY.
4116	 * - if boundspecific do source address selection.
4117	 * - set fragmentation option for ipV4.
4118	 * - On return from IP output, check/adjust mtu size of output
4119	 *   interface and smallest_mtu size as well.
4120	 */
4121	/* Will need ifdefs around this */
4122#ifdef __Panda__
4123	pakhandle_type o_pak;
4124#endif
4125	struct mbuf *newm;
4126	struct sctphdr *sctphdr;
4127	int packet_length;
4128	int ret;
4129#if defined(INET) || defined(INET6)
4130	uint32_t vrf_id;
4131#endif
4132#if defined(INET) || defined(INET6)
4133#if !defined(__Panda__)
4134	struct mbuf *o_pak;
4135#endif
4136	sctp_route_t *ro = NULL;
4137	struct udphdr *udp = NULL;
4138#endif
4139	uint8_t tos_value;
4140#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4141	struct socket *so = NULL;
4142#endif
4143
4144#if defined(__APPLE__)
4145	if (so_locked) {
4146		sctp_lock_assert(SCTP_INP_SO(inp));
4147		SCTP_TCB_LOCK_ASSERT(stcb);
4148	} else {
4149		sctp_unlock_assert(SCTP_INP_SO(inp));
4150	}
4151#endif
4152	if ((net) && (net->dest_state & SCTP_ADDR_OUT_OF_SCOPE)) {
4153		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
4154		sctp_m_freem(m);
4155		return (EFAULT);
4156	}
4157#if defined(INET) || defined(INET6)
4158	if (stcb) {
4159		vrf_id = stcb->asoc.vrf_id;
4160	} else {
4161		vrf_id = inp->def_vrf_id;
4162	}
4163#endif
4164	/* fill in the HMAC digest for any AUTH chunk in the packet */
4165	if ((auth != NULL) && (stcb != NULL)) {
4166		sctp_fill_hmac_digest_m(m, auth_offset, auth, stcb, auth_keyid);
4167	}
4168
4169	if (net) {
4170		tos_value = net->dscp;
4171	} else if (stcb) {
4172		tos_value = stcb->asoc.default_dscp;
4173	} else {
4174		tos_value = inp->sctp_ep.default_dscp;
4175	}
4176
4177	switch (to->sa_family) {
4178#ifdef INET
4179	case AF_INET:
4180	{
4181		struct ip *ip = NULL;
4182		sctp_route_t iproute;
4183		int len;
4184
4185		len = sizeof(struct ip) + sizeof(struct sctphdr);
4186		if (port) {
4187			len += sizeof(struct udphdr);
4188		}
4189		newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
4190		if (newm == NULL) {
4191			sctp_m_freem(m);
4192			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4193			return (ENOMEM);
4194		}
4195		SCTP_ALIGN_TO_END(newm, len);
4196		SCTP_BUF_LEN(newm) = len;
4197		SCTP_BUF_NEXT(newm) = m;
4198		m = newm;
4199#if defined(__FreeBSD__)
4200		if (net != NULL) {
4201#ifdef INVARIANTS
4202			if (net->flowidset == 0) {
4203				panic("Flow ID not set");
4204			}
4205#endif
4206			m->m_pkthdr.flowid = net->flowid;
4207			m->m_flags |= M_FLOWID;
4208		} else {
4209			if (use_mflowid != 0) {
4210				m->m_pkthdr.flowid = mflowid;
4211				m->m_flags |= M_FLOWID;
4212			}
4213		}
4214#endif
4215		packet_length = sctp_calculate_len(m);
4216		ip = mtod(m, struct ip *);
4217		ip->ip_v = IPVERSION;
4218		ip->ip_hl = (sizeof(struct ip) >> 2);
4219		if (tos_value == 0) {
4220			/*
4221			 * This means especially, that it is not set at the
4222			 * SCTP layer. So use the value from the IP layer.
4223			 */
4224#if defined(__FreeBSD__) || defined(__APPLE__) || defined(__Panda__) || defined(__Windows__) || defined(__Userspace__)
4225			tos_value = inp->ip_inp.inp.inp_ip_tos;
4226#else
4227			tos_value = inp->inp_ip_tos;
4228#endif
4229		}
4230		tos_value &= 0xfc;
4231		if (ecn_ok) {
4232			tos_value |= sctp_get_ect(stcb);
4233		}
4234                if ((nofragment_flag) && (port == 0)) {
4235#if defined(__FreeBSD__)
4236#if __FreeBSD_version >= 1000000
4237			ip->ip_off = htons(IP_DF);
4238#else
4239			ip->ip_off = IP_DF;
4240#endif
4241#elif defined(WITH_CONVERT_IP_OFF) || defined(__APPLE__) || defined(__Userspace__)
4242			ip->ip_off = IP_DF;
4243#else
4244			ip->ip_off = htons(IP_DF);
4245#endif
4246		} else {
4247#if defined(__FreeBSD__) && __FreeBSD_version >= 1000000
4248			ip->ip_off = htons(0);
4249#else
4250			ip->ip_off = 0;
4251#endif
4252		}
4253#if defined(__FreeBSD__)
4254		/* FreeBSD has a function for ip_id's */
4255		ip->ip_id = ip_newid();
4256#elif defined(RANDOM_IP_ID)
4257		/* Apple has RANDOM_IP_ID switch */
4258		ip->ip_id = htons(ip_randomid());
4259#elif defined(__Userspace__)
4260                ip->ip_id = htons(SCTP_IP_ID(inp)++);
4261#else
4262		ip->ip_id = SCTP_IP_ID(inp)++;
4263#endif
4264
4265#if defined(__FreeBSD__) || defined(__APPLE__) || defined(__Panda__) || defined(__Windows__) || defined(__Userspace__)
4266		ip->ip_ttl = inp->ip_inp.inp.inp_ip_ttl;
4267#else
4268		ip->ip_ttl = inp->inp_ip_ttl;
4269#endif
4270#if defined(__FreeBSD__) && __FreeBSD_version >= 1000000
4271		ip->ip_len = htons(packet_length);
4272#else
4273		ip->ip_len = packet_length;
4274#endif
4275		ip->ip_tos = tos_value;
4276		if (port) {
4277			ip->ip_p = IPPROTO_UDP;
4278		} else {
4279			ip->ip_p = IPPROTO_SCTP;
4280		}
4281		ip->ip_sum = 0;
4282		if (net == NULL) {
4283			ro = &iproute;
4284			memset(&iproute, 0, sizeof(iproute));
4285#ifdef HAVE_SA_LEN
4286			memcpy(&ro->ro_dst, to, to->sa_len);
4287#else
4288			memcpy(&ro->ro_dst, to, sizeof(struct sockaddr_in));
4289#endif
4290		} else {
4291			ro = (sctp_route_t *)&net->ro;
4292		}
4293		/* Now the address selection part */
4294		ip->ip_dst.s_addr = ((struct sockaddr_in *)to)->sin_addr.s_addr;
4295
4296		/* call the routine to select the src address */
4297		if (net && out_of_asoc_ok == 0) {
4298			if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED|SCTP_ADDR_IFA_UNUSEABLE))) {
4299				sctp_free_ifa(net->ro._s_addr);
4300				net->ro._s_addr = NULL;
4301				net->src_addr_selected = 0;
4302				if (ro->ro_rt) {
4303					RTFREE(ro->ro_rt);
4304					ro->ro_rt = NULL;
4305				}
4306			}
4307			if (net->src_addr_selected == 0) {
4308				/* Cache the source address */
4309				net->ro._s_addr = sctp_source_address_selection(inp,stcb,
4310										ro, net, 0,
4311										vrf_id);
4312				net->src_addr_selected = 1;
4313			}
4314			if (net->ro._s_addr == NULL) {
4315				/* No route to host */
4316				net->src_addr_selected = 0;
4317				sctp_handle_no_route(stcb, net, so_locked);
4318				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4319				sctp_m_freem(m);
4320				return (EHOSTUNREACH);
4321			}
4322			ip->ip_src = net->ro._s_addr->address.sin.sin_addr;
4323		} else {
4324			if (over_addr == NULL) {
4325				struct sctp_ifa *_lsrc;
4326
4327				_lsrc = sctp_source_address_selection(inp, stcb, ro,
4328				                                      net,
4329				                                      out_of_asoc_ok,
4330				                                      vrf_id);
4331				if (_lsrc == NULL) {
4332					sctp_handle_no_route(stcb, net, so_locked);
4333					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4334					sctp_m_freem(m);
4335					return (EHOSTUNREACH);
4336				}
4337				ip->ip_src = _lsrc->address.sin.sin_addr;
4338				sctp_free_ifa(_lsrc);
4339			} else {
4340				ip->ip_src = over_addr->sin.sin_addr;
4341				SCTP_RTALLOC(ro, vrf_id);
4342			}
4343		}
4344		if (port) {
4345			if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
4346				sctp_handle_no_route(stcb, net, so_locked);
4347				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4348				sctp_m_freem(m);
4349				return (EHOSTUNREACH);
4350			}
4351			udp = (struct udphdr *)((caddr_t)ip + sizeof(struct ip));
4352			udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
4353			udp->uh_dport = port;
4354			udp->uh_ulen = htons(packet_length - sizeof(struct ip));
4355#if !defined(__Windows__) && !defined(__Userspace__)
4356#if defined(__FreeBSD__) && ((__FreeBSD_version > 803000 && __FreeBSD_version < 900000) || __FreeBSD_version > 900000)
4357			if (V_udp_cksum) {
4358				udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
4359			} else {
4360				udp->uh_sum = 0;
4361			}
4362#else
4363			udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
4364#endif
4365#else
4366			udp->uh_sum = 0;
4367#endif
4368			sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
4369		} else {
4370			sctphdr = (struct sctphdr *)((caddr_t)ip + sizeof(struct ip));
4371		}
4372
4373		sctphdr->src_port = src_port;
4374		sctphdr->dest_port = dest_port;
4375		sctphdr->v_tag = v_tag;
4376		sctphdr->checksum = 0;
4377
4378		/*
4379		 * If source address selection fails and we find no route
4380		 * then the ip_output should fail as well with a
4381		 * NO_ROUTE_TO_HOST type error. We probably should catch
4382		 * that somewhere and abort the association right away
4383		 * (assuming this is an INIT being sent).
4384		 */
4385		if (ro->ro_rt == NULL) {
4386			/*
4387			 * src addr selection failed to find a route (or
4388			 * valid source addr), so we can't get there from
4389			 * here (yet)!
4390			 */
4391			sctp_handle_no_route(stcb, net, so_locked);
4392			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4393			sctp_m_freem(m);
4394			return (EHOSTUNREACH);
4395		}
4396		if (ro != &iproute) {
4397			memcpy(&iproute, ro, sizeof(*ro));
4398		}
4399		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv4 output routine from low level src addr:%x\n",
4400			(uint32_t) (ntohl(ip->ip_src.s_addr)));
4401		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Destination is %x\n",
4402			(uint32_t)(ntohl(ip->ip_dst.s_addr)));
4403		SCTPDBG(SCTP_DEBUG_OUTPUT3, "RTP route is %p through\n",
4404			(void *)ro->ro_rt);
4405
4406		if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
4407			/* failed to prepend data, give up */
4408			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4409			sctp_m_freem(m);
4410			return (ENOMEM);
4411		}
4412		SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
4413		if (port) {
4414#if defined(SCTP_WITH_NO_CSUM)
4415			SCTP_STAT_INCR(sctps_sendnocrc);
4416#else
4417			sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip) + sizeof(struct udphdr));
4418			SCTP_STAT_INCR(sctps_sendswcrc);
4419#endif
4420#if defined(__FreeBSD__) && ((__FreeBSD_version > 803000 && __FreeBSD_version < 900000) || __FreeBSD_version > 900000)
4421			if (V_udp_cksum) {
4422				SCTP_ENABLE_UDP_CSUM(o_pak);
4423			}
4424#else
4425			SCTP_ENABLE_UDP_CSUM(o_pak);
4426#endif
4427		} else {
4428#if defined(SCTP_WITH_NO_CSUM)
4429			SCTP_STAT_INCR(sctps_sendnocrc);
4430#else
4431#if defined(__FreeBSD__) && __FreeBSD_version >= 800000
4432			m->m_pkthdr.csum_flags = CSUM_SCTP;
4433			m->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
4434			SCTP_STAT_INCR(sctps_sendhwcrc);
4435#else
4436			if (!(SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback) &&
4437			      (stcb) && (stcb->asoc.scope.loopback_scope))) {
4438				sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip));
4439				SCTP_STAT_INCR(sctps_sendswcrc);
4440			} else {
4441				SCTP_STAT_INCR(sctps_sendnocrc);
4442			}
4443#endif
4444#endif
4445		}
4446#ifdef SCTP_PACKET_LOGGING
4447		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
4448			sctp_packet_log(o_pak);
4449#endif
4450		/* send it out.  table id is taken from stcb */
4451#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4452		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4453			so = SCTP_INP_SO(inp);
4454			SCTP_SOCKET_UNLOCK(so, 0);
4455		}
4456#endif
4457		SCTP_IP_OUTPUT(ret, o_pak, ro, stcb, vrf_id);
4458#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4459		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4460			atomic_add_int(&stcb->asoc.refcnt, 1);
4461			SCTP_TCB_UNLOCK(stcb);
4462			SCTP_SOCKET_LOCK(so, 0);
4463			SCTP_TCB_LOCK(stcb);
4464			atomic_subtract_int(&stcb->asoc.refcnt, 1);
4465		}
4466#endif
4467		SCTP_STAT_INCR(sctps_sendpackets);
4468		SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
4469		if (ret)
4470			SCTP_STAT_INCR(sctps_senderrors);
4471
4472		SCTPDBG(SCTP_DEBUG_OUTPUT3, "IP output returns %d\n", ret);
4473		if (net == NULL) {
4474			/* free tempy routes */
4475#if defined(__FreeBSD__) && __FreeBSD_version > 901000
4476			RO_RTFREE(ro);
4477#else
4478			if (ro->ro_rt) {
4479				RTFREE(ro->ro_rt);
4480				ro->ro_rt = NULL;
4481			}
4482#endif
4483		} else {
4484			/* PMTU check versus smallest asoc MTU goes here */
4485			if ((ro->ro_rt != NULL) &&
4486			    (net->ro._s_addr)) {
4487				uint32_t mtu;
4488				mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_rt);
4489				if (net->port) {
4490					mtu -= sizeof(struct udphdr);
4491				}
4492				if (mtu && (stcb->asoc.smallest_mtu > mtu)) {
4493					sctp_mtu_size_reset(inp, &stcb->asoc, mtu);
4494					net->mtu = mtu;
4495				}
4496			} else if (ro->ro_rt == NULL) {
4497				/* route was freed */
4498				if (net->ro._s_addr &&
4499				    net->src_addr_selected) {
4500					sctp_free_ifa(net->ro._s_addr);
4501					net->ro._s_addr = NULL;
4502				}
4503				net->src_addr_selected = 0;
4504			}
4505		}
4506		return (ret);
4507	}
4508#endif
4509#ifdef INET6
4510	case AF_INET6:
4511	{
4512		uint32_t flowlabel, flowinfo;
4513		struct ip6_hdr *ip6h;
4514		struct route_in6 ip6route;
4515#if !(defined(__Panda__) || defined(__Userspace__))
4516		struct ifnet *ifp;
4517#endif
4518		struct sockaddr_in6 *sin6, tmp, *lsa6, lsa6_tmp;
4519		int prev_scope = 0;
4520#ifdef SCTP_EMBEDDED_V6_SCOPE
4521		struct sockaddr_in6 lsa6_storage;
4522		int error;
4523#endif
4524		u_short prev_port = 0;
4525		int len;
4526
4527		if (net) {
4528			flowlabel = net->flowlabel;
4529		} else if (stcb) {
4530			flowlabel = stcb->asoc.default_flowlabel;
4531		} else {
4532			flowlabel = inp->sctp_ep.default_flowlabel;
4533		}
4534		if (flowlabel == 0) {
4535			/*
4536			 * This means especially, that it is not set at the
4537			 * SCTP layer. So use the value from the IP layer.
4538			 */
4539#if defined(__APPLE__) && (!defined(APPLE_LEOPARD) && !defined(APPLE_SNOWLEOPARD) && !defined(APPLE_LION) && !defined(APPLE_MOUNTAINLION))
4540			flowlabel = ntohl(inp->ip_inp.inp.inp_flow);
4541#else
4542			flowlabel = ntohl(((struct in6pcb *)inp)->in6p_flowinfo);
4543#endif
4544		}
4545		flowlabel &= 0x000fffff;
4546		len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr);
4547		if (port) {
4548			len += sizeof(struct udphdr);
4549		}
4550		newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
4551		if (newm == NULL) {
4552			sctp_m_freem(m);
4553			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4554			return (ENOMEM);
4555		}
4556		SCTP_ALIGN_TO_END(newm, len);
4557		SCTP_BUF_LEN(newm) = len;
4558		SCTP_BUF_NEXT(newm) = m;
4559		m = newm;
4560#if defined(__FreeBSD__)
4561		if (net != NULL) {
4562#ifdef INVARIANTS
4563			if (net->flowidset == 0) {
4564				panic("Flow ID not set");
4565			}
4566#endif
4567			m->m_pkthdr.flowid = net->flowid;
4568			m->m_flags |= M_FLOWID;
4569		} else {
4570			if (use_mflowid != 0) {
4571				m->m_pkthdr.flowid = mflowid;
4572				m->m_flags |= M_FLOWID;
4573			}
4574		}
4575#endif
4576		packet_length = sctp_calculate_len(m);
4577
4578		ip6h = mtod(m, struct ip6_hdr *);
4579		/* protect *sin6 from overwrite */
4580		sin6 = (struct sockaddr_in6 *)to;
4581		tmp = *sin6;
4582		sin6 = &tmp;
4583
4584#ifdef SCTP_EMBEDDED_V6_SCOPE
4585		/* KAME hack: embed scopeid */
4586#if defined(__APPLE__)
4587#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
4588		if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL) != 0)
4589#else
4590		if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL, NULL) != 0)
4591#endif
4592#elif defined(SCTP_KAME)
4593		if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0)
4594#else
4595		if (in6_embedscope(&sin6->sin6_addr, sin6) != 0)
4596#endif
4597		{
4598			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4599			return (EINVAL);
4600		}
4601#endif /* SCTP_EMBEDDED_V6_SCOPE */
4602		if (net == NULL) {
4603			memset(&ip6route, 0, sizeof(ip6route));
4604			ro = (sctp_route_t *)&ip6route;
4605#ifdef HAVE_SIN6_LEN
4606			memcpy(&ro->ro_dst, sin6, sin6->sin6_len);
4607#else
4608			memcpy(&ro->ro_dst, sin6, sizeof(struct sockaddr_in6));
4609#endif
4610		} else {
4611			ro = (sctp_route_t *)&net->ro;
4612		}
4613		/*
4614		 * We assume here that inp_flow is in host byte order within
4615		 * the TCB!
4616		 */
4617		if (tos_value == 0) {
4618			/*
4619			 * This means especially, that it is not set at the
4620			 * SCTP layer. So use the value from the IP layer.
4621			 */
4622#if defined(__FreeBSD__) || defined(__APPLE__) || defined(__Panda__) || defined(__Windows__) || defined(__Userspace__)
4623#if defined(__APPLE__) && (!defined(APPLE_LEOPARD) && !defined(APPLE_SNOWLEOPARD) && !defined(APPLE_LION) && !defined(APPLE_MOUNTAINLION))
4624			tos_value = (ntohl(inp->ip_inp.inp.inp_flow) >> 20) & 0xff;
4625#else
4626			tos_value = (ntohl(((struct in6pcb *)inp)->in6p_flowinfo) >> 20) & 0xff;
4627#endif
4628#endif
4629		}
4630		tos_value &= 0xfc;
4631		if (ecn_ok) {
4632			tos_value |= sctp_get_ect(stcb);
4633		}
4634		flowinfo = 0x06;
4635		flowinfo <<= 8;
4636		flowinfo |= tos_value;
4637		flowinfo <<= 20;
4638		flowinfo |= flowlabel;
4639		ip6h->ip6_flow = htonl(flowinfo);
4640		if (port) {
4641			ip6h->ip6_nxt = IPPROTO_UDP;
4642		} else {
4643			ip6h->ip6_nxt = IPPROTO_SCTP;
4644		}
4645		ip6h->ip6_plen = (packet_length - sizeof(struct ip6_hdr));
4646		ip6h->ip6_dst = sin6->sin6_addr;
4647
4648		/*
4649		 * Add SRC address selection here: we can only reuse to a
4650		 * limited degree the kame src-addr-sel, since we can try
4651		 * their selection but it may not be bound.
4652		 */
4653		bzero(&lsa6_tmp, sizeof(lsa6_tmp));
4654		lsa6_tmp.sin6_family = AF_INET6;
4655#ifdef HAVE_SIN6_LEN
4656		lsa6_tmp.sin6_len = sizeof(lsa6_tmp);
4657#endif
4658		lsa6 = &lsa6_tmp;
4659		if (net && out_of_asoc_ok == 0) {
4660			if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED|SCTP_ADDR_IFA_UNUSEABLE))) {
4661				sctp_free_ifa(net->ro._s_addr);
4662				net->ro._s_addr = NULL;
4663				net->src_addr_selected = 0;
4664				if (ro->ro_rt) {
4665					RTFREE(ro->ro_rt);
4666					ro->ro_rt = NULL;
4667				}
4668			}
4669			if (net->src_addr_selected == 0) {
4670#ifdef SCTP_EMBEDDED_V6_SCOPE
4671				sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4672				/* KAME hack: embed scopeid */
4673#if defined(__APPLE__)
4674#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
4675				if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL) != 0)
4676#else
4677				if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL, NULL) != 0)
4678#endif
4679#elif defined(SCTP_KAME)
4680				if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0)
4681#else
4682				if (in6_embedscope(&sin6->sin6_addr, sin6) != 0)
4683#endif
4684				{
4685					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4686					return (EINVAL);
4687				}
4688#endif /* SCTP_EMBEDDED_V6_SCOPE */
4689				/* Cache the source address */
4690				net->ro._s_addr = sctp_source_address_selection(inp,
4691										stcb,
4692										ro,
4693										net,
4694										0,
4695										vrf_id);
4696#ifdef SCTP_EMBEDDED_V6_SCOPE
4697#ifdef SCTP_KAME
4698				(void)sa6_recoverscope(sin6);
4699#else
4700				(void)in6_recoverscope(sin6, &sin6->sin6_addr, NULL);
4701#endif	/* SCTP_KAME */
4702#endif	/* SCTP_EMBEDDED_V6_SCOPE */
4703				net->src_addr_selected = 1;
4704			}
4705			if (net->ro._s_addr == NULL) {
4706				SCTPDBG(SCTP_DEBUG_OUTPUT3, "V6:No route to host\n");
4707				net->src_addr_selected = 0;
4708				sctp_handle_no_route(stcb, net, so_locked);
4709				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4710				sctp_m_freem(m);
4711				return (EHOSTUNREACH);
4712			}
4713			lsa6->sin6_addr = net->ro._s_addr->address.sin6.sin6_addr;
4714		} else {
4715#ifdef SCTP_EMBEDDED_V6_SCOPE
4716			sin6 = (struct sockaddr_in6 *)&ro->ro_dst;
4717			/* KAME hack: embed scopeid */
4718#if defined(__APPLE__)
4719#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
4720			if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL) != 0)
4721#else
4722			if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL, NULL) != 0)
4723#endif
4724#elif defined(SCTP_KAME)
4725			if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0)
4726#else
4727			if (in6_embedscope(&sin6->sin6_addr, sin6) != 0)
4728#endif
4729			  {
4730				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4731				return (EINVAL);
4732			  }
4733#endif /* SCTP_EMBEDDED_V6_SCOPE */
4734			if (over_addr == NULL) {
4735				struct sctp_ifa *_lsrc;
4736
4737				_lsrc = sctp_source_address_selection(inp, stcb, ro,
4738				                                      net,
4739				                                      out_of_asoc_ok,
4740				                                      vrf_id);
4741				if (_lsrc == NULL) {
4742					sctp_handle_no_route(stcb, net, so_locked);
4743					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4744					sctp_m_freem(m);
4745					return (EHOSTUNREACH);
4746				}
4747				lsa6->sin6_addr = _lsrc->address.sin6.sin6_addr;
4748				sctp_free_ifa(_lsrc);
4749			} else {
4750				lsa6->sin6_addr = over_addr->sin6.sin6_addr;
4751				SCTP_RTALLOC(ro, vrf_id);
4752			}
4753#ifdef SCTP_EMBEDDED_V6_SCOPE
4754#ifdef SCTP_KAME
4755			(void)sa6_recoverscope(sin6);
4756#else
4757			(void)in6_recoverscope(sin6, &sin6->sin6_addr, NULL);
4758#endif	/* SCTP_KAME */
4759#endif	/* SCTP_EMBEDDED_V6_SCOPE */
4760		}
4761		lsa6->sin6_port = inp->sctp_lport;
4762
4763		if (ro->ro_rt == NULL) {
4764			/*
4765			 * src addr selection failed to find a route (or
4766			 * valid source addr), so we can't get there from
4767			 * here!
4768			 */
4769			sctp_handle_no_route(stcb, net, so_locked);
4770			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4771			sctp_m_freem(m);
4772			return (EHOSTUNREACH);
4773		}
4774#ifndef SCOPEDROUTING
4775#ifdef SCTP_EMBEDDED_V6_SCOPE
4776		/*
4777		 * XXX: sa6 may not have a valid sin6_scope_id in the
4778		 * non-SCOPEDROUTING case.
4779		 */
4780		bzero(&lsa6_storage, sizeof(lsa6_storage));
4781		lsa6_storage.sin6_family = AF_INET6;
4782#ifdef HAVE_SIN6_LEN
4783		lsa6_storage.sin6_len = sizeof(lsa6_storage);
4784#endif
4785#ifdef SCTP_KAME
4786		lsa6_storage.sin6_addr = lsa6->sin6_addr;
4787		if ((error = sa6_recoverscope(&lsa6_storage)) != 0) {
4788#else
4789		if ((error = in6_recoverscope(&lsa6_storage, &lsa6->sin6_addr,
4790		    NULL)) != 0) {
4791#endif				/* SCTP_KAME */
4792			SCTPDBG(SCTP_DEBUG_OUTPUT3, "recover scope fails error %d\n", error);
4793			sctp_m_freem(m);
4794			return (error);
4795		}
4796		/* XXX */
4797		lsa6_storage.sin6_addr = lsa6->sin6_addr;
4798		lsa6_storage.sin6_port = inp->sctp_lport;
4799		lsa6 = &lsa6_storage;
4800#endif /* SCTP_EMBEDDED_V6_SCOPE */
4801#endif /* SCOPEDROUTING */
4802		ip6h->ip6_src = lsa6->sin6_addr;
4803
4804		if (port) {
4805			if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
4806				sctp_handle_no_route(stcb, net, so_locked);
4807				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4808				sctp_m_freem(m);
4809				return (EHOSTUNREACH);
4810			}
4811			udp = (struct udphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
4812			udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
4813			udp->uh_dport = port;
4814			udp->uh_ulen = htons(packet_length - sizeof(struct ip6_hdr));
4815			udp->uh_sum = 0;
4816			sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
4817		} else {
4818			sctphdr = (struct sctphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
4819		}
4820
4821		sctphdr->src_port = src_port;
4822		sctphdr->dest_port = dest_port;
4823		sctphdr->v_tag = v_tag;
4824		sctphdr->checksum = 0;
4825
4826		/*
4827		 * We set the hop limit now since there is a good chance
4828		 * that our ro pointer is now filled
4829		 */
4830		ip6h->ip6_hlim = SCTP_GET_HLIM(inp, ro);
4831#if !(defined(__Panda__) || defined(__Userspace__))
4832		ifp = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
4833#endif
4834
4835#ifdef SCTP_DEBUG
4836		/* Copy to be sure something bad is not happening */
4837		sin6->sin6_addr = ip6h->ip6_dst;
4838		lsa6->sin6_addr = ip6h->ip6_src;
4839#endif
4840
4841		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv6 output routine from low level\n");
4842		SCTPDBG(SCTP_DEBUG_OUTPUT3, "src: ");
4843		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)lsa6);
4844		SCTPDBG(SCTP_DEBUG_OUTPUT3, "dst: ");
4845		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)sin6);
4846		if (net) {
4847			sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4848			/* preserve the port and scope for link local send */
4849			prev_scope = sin6->sin6_scope_id;
4850			prev_port = sin6->sin6_port;
4851		}
4852
4853		if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
4854			/* failed to prepend data, give up */
4855			sctp_m_freem(m);
4856			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4857			return (ENOMEM);
4858		}
4859		SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
4860		if (port) {
4861#if defined(SCTP_WITH_NO_CSUM)
4862			SCTP_STAT_INCR(sctps_sendnocrc);
4863#else
4864			sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
4865			SCTP_STAT_INCR(sctps_sendswcrc);
4866#endif
4867#if defined(__Windows__)
4868			udp->uh_sum = 0;
4869#elif !defined(__Userspace__)
4870			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), packet_length - sizeof(struct ip6_hdr))) == 0) {
4871				udp->uh_sum = 0xffff;
4872			}
4873#endif
4874		} else {
4875#if defined(SCTP_WITH_NO_CSUM)
4876			SCTP_STAT_INCR(sctps_sendnocrc);
4877#else
4878#if defined(__FreeBSD__) && __FreeBSD_version >= 800000
4879#if __FreeBSD_version < 900000
4880			sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip6_hdr));
4881			SCTP_STAT_INCR(sctps_sendswcrc);
4882#else
4883#if __FreeBSD_version > 901000
4884			m->m_pkthdr.csum_flags = CSUM_SCTP_IPV6;
4885#else
4886			m->m_pkthdr.csum_flags = CSUM_SCTP;
4887#endif
4888			m->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
4889			SCTP_STAT_INCR(sctps_sendhwcrc);
4890#endif
4891#else
4892			if (!(SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback) &&
4893			      (stcb) && (stcb->asoc.scope.loopback_scope))) {
4894				sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip6_hdr));
4895				SCTP_STAT_INCR(sctps_sendswcrc);
4896			} else {
4897				SCTP_STAT_INCR(sctps_sendnocrc);
4898			}
4899#endif
4900#endif
4901		}
4902		/* send it out. table id is taken from stcb */
4903#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4904		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4905			so = SCTP_INP_SO(inp);
4906			SCTP_SOCKET_UNLOCK(so, 0);
4907		}
4908#endif
4909#ifdef SCTP_PACKET_LOGGING
4910		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
4911			sctp_packet_log(o_pak);
4912#endif
4913#if !(defined(__Panda__) || defined(__Userspace__))
4914		SCTP_IP6_OUTPUT(ret, o_pak, (struct route_in6 *)ro, &ifp, stcb, vrf_id);
4915#else
4916		SCTP_IP6_OUTPUT(ret, o_pak, (struct route_in6 *)ro, NULL, stcb, vrf_id);
4917#endif
4918#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4919		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4920			atomic_add_int(&stcb->asoc.refcnt, 1);
4921			SCTP_TCB_UNLOCK(stcb);
4922			SCTP_SOCKET_LOCK(so, 0);
4923			SCTP_TCB_LOCK(stcb);
4924			atomic_subtract_int(&stcb->asoc.refcnt, 1);
4925		}
4926#endif
4927		if (net) {
4928			/* for link local this must be done */
4929			sin6->sin6_scope_id = prev_scope;
4930			sin6->sin6_port = prev_port;
4931		}
4932		SCTPDBG(SCTP_DEBUG_OUTPUT3, "return from send is %d\n", ret);
4933		SCTP_STAT_INCR(sctps_sendpackets);
4934		SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
4935		if (ret) {
4936			SCTP_STAT_INCR(sctps_senderrors);
4937		}
4938		if (net == NULL) {
4939			/* Now if we had a temp route free it */
4940#if defined(__FreeBSD__) && __FreeBSD_version > 901000
4941			RO_RTFREE(ro);
4942#else
4943			if (ro->ro_rt) {
4944				RTFREE(ro->ro_rt);
4945				ro->ro_rt = NULL;
4946			}
4947#endif
4948		} else {
4949			/* PMTU check versus smallest asoc MTU goes here */
4950			if (ro->ro_rt == NULL) {
4951				/* Route was freed */
4952				if (net->ro._s_addr &&
4953				    net->src_addr_selected) {
4954					sctp_free_ifa(net->ro._s_addr);
4955					net->ro._s_addr = NULL;
4956				}
4957				net->src_addr_selected = 0;
4958			}
4959			if ((ro->ro_rt != NULL) &&
4960			    (net->ro._s_addr)) {
4961				uint32_t mtu;
4962				mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_rt);
4963				if (mtu &&
4964				    (stcb->asoc.smallest_mtu > mtu)) {
4965					sctp_mtu_size_reset(inp, &stcb->asoc, mtu);
4966					net->mtu = mtu;
4967					if (net->port) {
4968						net->mtu -= sizeof(struct udphdr);
4969					}
4970				}
4971			}
4972#if !defined(__Panda__) && !defined(__Userspace__)
4973			else if (ifp) {
4974#if defined(__Windows__)
4975#define ND_IFINFO(ifp)	(ifp)
4976#define linkmtu		if_mtu
4977#endif
4978				if (ND_IFINFO(ifp)->linkmtu &&
4979				    (stcb->asoc.smallest_mtu > ND_IFINFO(ifp)->linkmtu)) {
4980					sctp_mtu_size_reset(inp,
4981					    &stcb->asoc,
4982					    ND_IFINFO(ifp)->linkmtu);
4983				}
4984			}
4985#endif
4986		}
4987		return (ret);
4988	}
4989#endif
4990#if defined(__Userspace__)
4991	case AF_CONN:
4992	{
4993		char *buffer;
4994		struct sockaddr_conn *sconn;
4995		int len;
4996
4997		sconn = (struct sockaddr_conn *)to;
4998		len = sizeof(struct sctphdr);
4999		newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
5000		if (newm == NULL) {
5001			sctp_m_freem(m);
5002			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
5003			return (ENOMEM);
5004		}
5005		SCTP_ALIGN_TO_END(newm, len);
5006		SCTP_BUF_LEN(newm) = len;
5007		SCTP_BUF_NEXT(newm) = m;
5008		m = newm;
5009		packet_length = sctp_calculate_len(m);
5010		sctphdr = mtod(m, struct sctphdr *);
5011		sctphdr->src_port = src_port;
5012		sctphdr->dest_port = dest_port;
5013		sctphdr->v_tag = v_tag;
5014		sctphdr->checksum = 0;
5015#if defined(SCTP_WITH_NO_CSUM)
5016		SCTP_STAT_INCR(sctps_sendnocrc);
5017#else
5018		sctphdr->checksum = sctp_calculate_cksum(m, 0);
5019		SCTP_STAT_INCR(sctps_sendswcrc);
5020#endif
5021		if (tos_value == 0) {
5022			tos_value = inp->ip_inp.inp.inp_ip_tos;
5023		}
5024		tos_value &= 0xfc;
5025		if (ecn_ok) {
5026			tos_value |= sctp_get_ect(stcb);
5027		}
5028		/* Don't alloc/free for each packet */
5029		if ((buffer = malloc(packet_length)) != NULL) {
5030			m_copydata(m, 0, packet_length, buffer);
5031			ret = SCTP_BASE_VAR(conn_output)(sconn->sconn_addr, buffer, packet_length, tos_value, nofragment_flag);
5032			free(buffer);
5033		} else {
5034			ret = ENOMEM;
5035		}
5036		sctp_m_freem(m);
5037		return (ret);
5038	}
5039#endif
5040	default:
5041		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Unknown protocol (TSNH) type %d\n",
5042		        ((struct sockaddr *)to)->sa_family);
5043		sctp_m_freem(m);
5044		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
5045		return (EFAULT);
5046	}
5047}
5048
5049
5050void
5051sctp_send_initiate(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int so_locked
5052#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
5053    SCTP_UNUSED
5054#endif
5055    )
5056{
5057	struct mbuf *m, *m_last;
5058	struct sctp_nets *net;
5059	struct sctp_init_chunk *init;
5060	struct sctp_supported_addr_param *sup_addr;
5061	struct sctp_adaptation_layer_indication *ali;
5062	struct sctp_supported_chunk_types_param *pr_supported;
5063	struct sctp_paramhdr *ph;
5064	int cnt_inits_to = 0;
5065	int ret;
5066	uint16_t num_ext, chunk_len, padding_len, parameter_len;
5067
5068#if defined(__APPLE__)
5069	if (so_locked) {
5070		sctp_lock_assert(SCTP_INP_SO(inp));
5071	} else {
5072		sctp_unlock_assert(SCTP_INP_SO(inp));
5073	}
5074#endif
5075	/* INIT's always go to the primary (and usually ONLY address) */
5076	net = stcb->asoc.primary_destination;
5077	if (net == NULL) {
5078		net = TAILQ_FIRST(&stcb->asoc.nets);
5079		if (net == NULL) {
5080			/* TSNH */
5081			return;
5082		}
5083		/* we confirm any address we send an INIT to */
5084		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
5085		(void)sctp_set_primary_addr(stcb, NULL, net);
5086	} else {
5087		/* we confirm any address we send an INIT to */
5088		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
5089	}
5090	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT\n");
5091#ifdef INET6
5092	if (net->ro._l_addr.sa.sa_family == AF_INET6) {
5093		/*
5094		 * special hook, if we are sending to link local it will not
5095		 * show up in our private address count.
5096		 */
5097		if (IN6_IS_ADDR_LINKLOCAL(&net->ro._l_addr.sin6.sin6_addr))
5098			cnt_inits_to = 1;
5099	}
5100#endif
5101	if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
5102		/* This case should not happen */
5103		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - failed timer?\n");
5104		return;
5105	}
5106	/* start the INIT timer */
5107	sctp_timer_start(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
5108
5109	m = sctp_get_mbuf_for_msg(MCLBYTES, 1, M_NOWAIT, 1, MT_DATA);
5110	if (m == NULL) {
5111		/* No memory, INIT timer will re-attempt. */
5112		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - mbuf?\n");
5113		return;
5114	}
5115	chunk_len = (uint16_t)sizeof(struct sctp_init_chunk);
5116	padding_len = 0;
5117	/* Now lets put the chunk header in place */
5118	init = mtod(m, struct sctp_init_chunk *);
5119	/* now the chunk header */
5120	init->ch.chunk_type = SCTP_INITIATION;
5121	init->ch.chunk_flags = 0;
5122	/* fill in later from mbuf we build */
5123	init->ch.chunk_length = 0;
5124	/* place in my tag */
5125	init->init.initiate_tag = htonl(stcb->asoc.my_vtag);
5126	/* set up some of the credits. */
5127	init->init.a_rwnd = htonl(max(inp->sctp_socket?SCTP_SB_LIMIT_RCV(inp->sctp_socket):0,
5128	                              SCTP_MINIMAL_RWND));
5129	init->init.num_outbound_streams = htons(stcb->asoc.pre_open_streams);
5130	init->init.num_inbound_streams = htons(stcb->asoc.max_inbound_streams);
5131	init->init.initial_tsn = htonl(stcb->asoc.init_seq_number);
5132
5133	/* Adaptation layer indication parameter */
5134	if (inp->sctp_ep.adaptation_layer_indicator_provided) {
5135		parameter_len = (uint16_t)sizeof(struct sctp_adaptation_layer_indication);
5136		ali = (struct sctp_adaptation_layer_indication *)(mtod(m, caddr_t) + chunk_len);
5137		ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
5138		ali->ph.param_length = htons(parameter_len);
5139		ali->indication = htonl(inp->sctp_ep.adaptation_layer_indicator);
5140		chunk_len += parameter_len;
5141	}
5142
5143	/* ECN parameter */
5144	if (stcb->asoc.ecn_supported == 1) {
5145		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5146		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
5147		ph->param_type = htons(SCTP_ECN_CAPABLE);
5148		ph->param_length = htons(parameter_len);
5149		chunk_len += parameter_len;
5150	}
5151
5152	/* PR-SCTP supported parameter */
5153	if (stcb->asoc.prsctp_supported == 1) {
5154		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5155		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
5156		ph->param_type = htons(SCTP_PRSCTP_SUPPORTED);
5157		ph->param_length = htons(parameter_len);
5158		chunk_len += parameter_len;
5159	}
5160
5161	/* Add NAT friendly parameter. */
5162	if (SCTP_BASE_SYSCTL(sctp_inits_include_nat_friendly)) {
5163		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5164		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
5165		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
5166		ph->param_length = htons(parameter_len);
5167		chunk_len += parameter_len;
5168	}
5169
5170	/* And now tell the peer which extensions we support */
5171	num_ext = 0;
5172	pr_supported = (struct sctp_supported_chunk_types_param *)(mtod(m, caddr_t) + chunk_len);
5173	if (stcb->asoc.prsctp_supported == 1) {
5174		pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
5175	}
5176	if (stcb->asoc.auth_supported == 1) {
5177		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
5178	}
5179	if (stcb->asoc.asconf_supported == 1) {
5180		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
5181		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
5182	}
5183	if (stcb->asoc.reconfig_supported == 1) {
5184		pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
5185	}
5186	if (stcb->asoc.nrsack_supported == 1) {
5187		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
5188	}
5189	if (stcb->asoc.pktdrop_supported == 1) {
5190		pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
5191	}
5192	if (num_ext > 0) {
5193		parameter_len = (uint16_t)sizeof(struct sctp_supported_chunk_types_param) + num_ext;
5194		pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
5195		pr_supported->ph.param_length = htons(parameter_len);
5196		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5197		chunk_len += parameter_len;
5198	}
5199	/* add authentication parameters */
5200	if (stcb->asoc.auth_supported) {
5201		/* attach RANDOM parameter, if available */
5202		if (stcb->asoc.authinfo.random != NULL) {
5203			struct sctp_auth_random *randp;
5204
5205			if (padding_len > 0) {
5206				memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5207				chunk_len += padding_len;
5208				padding_len = 0;
5209			}
5210			randp = (struct sctp_auth_random *)(mtod(m, caddr_t) + chunk_len);
5211			parameter_len = (uint16_t)sizeof(struct sctp_auth_random) + stcb->asoc.authinfo.random_len;
5212			/* random key already contains the header */
5213			memcpy(randp, stcb->asoc.authinfo.random->key, parameter_len);
5214			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5215			chunk_len += parameter_len;
5216		}
5217		/* add HMAC_ALGO parameter */
5218		if (stcb->asoc.local_hmacs != NULL) {
5219			struct sctp_auth_hmac_algo *hmacs;
5220
5221			if (padding_len > 0) {
5222				memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5223				chunk_len += padding_len;
5224				padding_len = 0;
5225			}
5226			hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t) + chunk_len);
5227			parameter_len = (uint16_t)(sizeof(struct sctp_auth_hmac_algo) +
5228			                           stcb->asoc.local_hmacs->num_algo * sizeof(uint16_t));
5229			hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
5230			hmacs->ph.param_length = htons(parameter_len);
5231			sctp_serialize_hmaclist(stcb->asoc.local_hmacs, (uint8_t *)hmacs->hmac_ids);
5232			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5233			chunk_len += parameter_len;
5234		}
5235		/* add CHUNKS parameter */
5236		if (stcb->asoc.local_auth_chunks != NULL) {
5237			struct sctp_auth_chunk_list *chunks;
5238
5239			if (padding_len > 0) {
5240				memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5241				chunk_len += padding_len;
5242				padding_len = 0;
5243			}
5244			chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t) + chunk_len);
5245			parameter_len = (uint16_t)(sizeof(struct sctp_auth_chunk_list) +
5246			                           sctp_auth_get_chklist_size(stcb->asoc.local_auth_chunks));
5247			chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
5248			chunks->ph.param_length = htons(parameter_len);
5249			sctp_serialize_auth_chunks(stcb->asoc.local_auth_chunks, chunks->chunk_types);
5250			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5251			chunk_len += parameter_len;
5252		}
5253	}
5254
5255	/* now any cookie time extensions */
5256	if (stcb->asoc.cookie_preserve_req) {
5257		struct sctp_cookie_perserve_param *cookie_preserve;
5258
5259		if (padding_len > 0) {
5260			memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5261			chunk_len += padding_len;
5262			padding_len = 0;
5263		}
5264		parameter_len = (uint16_t)sizeof(struct sctp_cookie_perserve_param);
5265		cookie_preserve = (struct sctp_cookie_perserve_param *)(mtod(m, caddr_t) + chunk_len);
5266		cookie_preserve->ph.param_type = htons(SCTP_COOKIE_PRESERVE);
5267		cookie_preserve->ph.param_length = htons(parameter_len);
5268		cookie_preserve->time = htonl(stcb->asoc.cookie_preserve_req);
5269		stcb->asoc.cookie_preserve_req = 0;
5270		chunk_len += parameter_len;
5271	}
5272
5273	if (stcb->asoc.scope.ipv4_addr_legal || stcb->asoc.scope.ipv6_addr_legal) {
5274		uint8_t i;
5275
5276		if (padding_len > 0) {
5277			memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5278			chunk_len += padding_len;
5279			padding_len = 0;
5280		}
5281		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5282		if (stcb->asoc.scope.ipv4_addr_legal) {
5283			parameter_len += (uint16_t)sizeof(uint16_t);
5284		}
5285		if (stcb->asoc.scope.ipv6_addr_legal) {
5286			parameter_len += (uint16_t)sizeof(uint16_t);
5287		}
5288		sup_addr = (struct sctp_supported_addr_param *)(mtod(m, caddr_t) + chunk_len);
5289		sup_addr->ph.param_type = htons(SCTP_SUPPORTED_ADDRTYPE);
5290		sup_addr->ph.param_length = htons(parameter_len);
5291		i = 0;
5292		if (stcb->asoc.scope.ipv4_addr_legal) {
5293			sup_addr->addr_type[i++] = htons(SCTP_IPV4_ADDRESS);
5294		}
5295		if (stcb->asoc.scope.ipv6_addr_legal) {
5296			sup_addr->addr_type[i++] = htons(SCTP_IPV6_ADDRESS);
5297		}
5298		padding_len = 4 - 2 * i;
5299		chunk_len += parameter_len;
5300	}
5301
5302	SCTP_BUF_LEN(m) = chunk_len;
5303	/* now the addresses */
5304	/* To optimize this we could put the scoping stuff
5305	 * into a structure and remove the individual uint8's from
5306	 * the assoc structure. Then we could just sifa in the
5307	 * address within the stcb. But for now this is a quick
5308	 * hack to get the address stuff teased apart.
5309	 */
5310	m_last = sctp_add_addresses_to_i_ia(inp, stcb, &stcb->asoc.scope,
5311	                                    m, cnt_inits_to,
5312	                                    &padding_len, &chunk_len);
5313
5314	init->ch.chunk_length = htons(chunk_len);
5315	if (padding_len > 0) {
5316		if (sctp_add_pad_tombuf(m_last, padding_len) == NULL) {
5317			sctp_m_freem(m);
5318			return;
5319		}
5320	}
5321	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - calls lowlevel_output\n");
5322	ret = sctp_lowlevel_chunk_output(inp, stcb, net,
5323	                                 (struct sockaddr *)&net->ro._l_addr,
5324	                                 m, 0, NULL, 0, 0, 0, 0,
5325	                                 inp->sctp_lport, stcb->rport, htonl(0),
5326	                                 net->port, NULL,
5327#if defined(__FreeBSD__)
5328	                                 0, 0,
5329#endif
5330	                                 so_locked);
5331	SCTPDBG(SCTP_DEBUG_OUTPUT4, "lowlevel_output - %d\n", ret);
5332	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
5333	(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
5334}
5335
5336struct mbuf *
5337sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
5338	int param_offset, int *abort_processing, struct sctp_chunkhdr *cp, int *nat_friendly)
5339{
5340	/*
5341	 * Given a mbuf containing an INIT or INIT-ACK with the param_offset
5342	 * being equal to the beginning of the params i.e. (iphlen +
5343	 * sizeof(struct sctp_init_msg) parse through the parameters to the
5344	 * end of the mbuf verifying that all parameters are known.
5345	 *
5346	 * For unknown parameters build and return a mbuf with
5347	 * UNRECOGNIZED_PARAMETER errors. If the flags indicate to stop
5348	 * processing this chunk stop, and set *abort_processing to 1.
5349	 *
5350	 * By having param_offset be pre-set to where parameters begin it is
5351	 * hoped that this routine may be reused in the future by new
5352	 * features.
5353	 */
5354	struct sctp_paramhdr *phdr, params;
5355
5356	struct mbuf *mat, *op_err;
5357	char tempbuf[SCTP_PARAM_BUFFER_SIZE];
5358	int at, limit, pad_needed;
5359	uint16_t ptype, plen, padded_size;
5360	int err_at;
5361
5362	*abort_processing = 0;
5363	mat = in_initpkt;
5364	err_at = 0;
5365	limit = ntohs(cp->chunk_length) - sizeof(struct sctp_init_chunk);
5366	at = param_offset;
5367	op_err = NULL;
5368	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Check for unrecognized param's\n");
5369	phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
5370	while ((phdr != NULL) && ((size_t)limit >= sizeof(struct sctp_paramhdr))) {
5371		ptype = ntohs(phdr->param_type);
5372		plen = ntohs(phdr->param_length);
5373		if ((plen > limit) || (plen < sizeof(struct sctp_paramhdr))) {
5374			/* wacked parameter */
5375			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error %d\n", plen);
5376			goto invalid_size;
5377		}
5378		limit -= SCTP_SIZE32(plen);
5379		/*-
5380		 * All parameters for all chunks that we know/understand are
5381		 * listed here. We process them other places and make
5382		 * appropriate stop actions per the upper bits. However this
5383		 * is the generic routine processor's can call to get back
5384		 * an operr.. to either incorporate (init-ack) or send.
5385		 */
5386		padded_size = SCTP_SIZE32(plen);
5387		switch (ptype) {
5388			/* Param's with variable size */
5389		case SCTP_HEARTBEAT_INFO:
5390		case SCTP_STATE_COOKIE:
5391		case SCTP_UNRECOG_PARAM:
5392		case SCTP_ERROR_CAUSE_IND:
5393			/* ok skip fwd */
5394			at += padded_size;
5395			break;
5396			/* Param's with variable size within a range */
5397		case SCTP_CHUNK_LIST:
5398		case SCTP_SUPPORTED_CHUNK_EXT:
5399			if (padded_size > (sizeof(struct sctp_supported_chunk_types_param) + (sizeof(uint8_t) * SCTP_MAX_SUPPORTED_EXT))) {
5400				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error chklist %d\n", plen);
5401				goto invalid_size;
5402			}
5403			at += padded_size;
5404			break;
5405		case SCTP_SUPPORTED_ADDRTYPE:
5406			if (padded_size > SCTP_MAX_ADDR_PARAMS_SIZE) {
5407				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error supaddrtype %d\n", plen);
5408				goto invalid_size;
5409			}
5410			at += padded_size;
5411			break;
5412		case SCTP_RANDOM:
5413			if (padded_size > (sizeof(struct sctp_auth_random) + SCTP_RANDOM_MAX_SIZE)) {
5414				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error random %d\n", plen);
5415				goto invalid_size;
5416			}
5417			at += padded_size;
5418			break;
5419		case SCTP_SET_PRIM_ADDR:
5420		case SCTP_DEL_IP_ADDRESS:
5421		case SCTP_ADD_IP_ADDRESS:
5422			if ((padded_size != sizeof(struct sctp_asconf_addrv4_param)) &&
5423			    (padded_size != sizeof(struct sctp_asconf_addr_param))) {
5424				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error setprim %d\n", plen);
5425				goto invalid_size;
5426			}
5427			at += padded_size;
5428			break;
5429			/* Param's with a fixed size */
5430		case SCTP_IPV4_ADDRESS:
5431			if (padded_size != sizeof(struct sctp_ipv4addr_param)) {
5432				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv4 addr %d\n", plen);
5433				goto invalid_size;
5434			}
5435			at += padded_size;
5436			break;
5437		case SCTP_IPV6_ADDRESS:
5438			if (padded_size != sizeof(struct sctp_ipv6addr_param)) {
5439				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv6 addr %d\n", plen);
5440				goto invalid_size;
5441			}
5442			at += padded_size;
5443			break;
5444		case SCTP_COOKIE_PRESERVE:
5445			if (padded_size != sizeof(struct sctp_cookie_perserve_param)) {
5446				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error cookie-preserve %d\n", plen);
5447				goto invalid_size;
5448			}
5449			at += padded_size;
5450			break;
5451		case SCTP_HAS_NAT_SUPPORT:
5452			*nat_friendly = 1;
5453			/* fall through */
5454		case SCTP_PRSCTP_SUPPORTED:
5455			if (padded_size != sizeof(struct sctp_paramhdr)) {
5456				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error prsctp/nat support %d\n", plen);
5457				goto invalid_size;
5458			}
5459			at += padded_size;
5460			break;
5461		case SCTP_ECN_CAPABLE:
5462			if (padded_size != sizeof(struct sctp_paramhdr)) {
5463				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ecn %d\n", plen);
5464				goto invalid_size;
5465			}
5466			at += padded_size;
5467			break;
5468		case SCTP_ULP_ADAPTATION:
5469			if (padded_size != sizeof(struct sctp_adaptation_layer_indication)) {
5470				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error adapatation %d\n", plen);
5471				goto invalid_size;
5472			}
5473			at += padded_size;
5474			break;
5475		case SCTP_SUCCESS_REPORT:
5476			if (padded_size != sizeof(struct sctp_asconf_paramhdr)) {
5477				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error success %d\n", plen);
5478				goto invalid_size;
5479			}
5480			at += padded_size;
5481			break;
5482		case SCTP_HOSTNAME_ADDRESS:
5483		{
5484			/* We can NOT handle HOST NAME addresses!! */
5485			int l_len;
5486
5487			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Can't handle hostname addresses.. abort processing\n");
5488			*abort_processing = 1;
5489			if (op_err == NULL) {
5490				/* Ok need to try to get a mbuf */
5491#ifdef INET6
5492				l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5493#else
5494				l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5495#endif
5496				l_len += plen;
5497				l_len += sizeof(struct sctp_paramhdr);
5498				op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5499				if (op_err) {
5500					SCTP_BUF_LEN(op_err) = 0;
5501					/*
5502					 * pre-reserve space for ip and sctp
5503					 * header  and chunk hdr
5504					 */
5505#ifdef INET6
5506					SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5507#else
5508					SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5509#endif
5510					SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5511					SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5512				}
5513			}
5514			if (op_err) {
5515				/* If we have space */
5516				struct sctp_paramhdr s;
5517
5518				if (err_at % 4) {
5519					uint32_t cpthis = 0;
5520
5521					pad_needed = 4 - (err_at % 4);
5522					m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
5523					err_at += pad_needed;
5524				}
5525				s.param_type = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR);
5526				s.param_length = htons(sizeof(s) + plen);
5527				m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
5528				err_at += sizeof(s);
5529				phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, min(sizeof(tempbuf),plen));
5530				if (phdr == NULL) {
5531					sctp_m_freem(op_err);
5532					/*
5533					 * we are out of memory but we still
5534					 * need to have a look at what to do
5535					 * (the system is in trouble
5536					 * though).
5537					 */
5538					return (NULL);
5539				}
5540				m_copyback(op_err, err_at, plen, (caddr_t)phdr);
5541			}
5542			return (op_err);
5543			break;
5544		}
5545		default:
5546			/*
5547			 * we do not recognize the parameter figure out what
5548			 * we do.
5549			 */
5550			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Hit default param %x\n", ptype);
5551			if ((ptype & 0x4000) == 0x4000) {
5552				/* Report bit is set?? */
5553				SCTPDBG(SCTP_DEBUG_OUTPUT1, "report op err\n");
5554				if (op_err == NULL) {
5555					int l_len;
5556					/* Ok need to try to get an mbuf */
5557#ifdef INET6
5558					l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5559#else
5560					l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5561#endif
5562					l_len += plen;
5563					l_len += sizeof(struct sctp_paramhdr);
5564					op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5565					if (op_err) {
5566						SCTP_BUF_LEN(op_err) = 0;
5567#ifdef INET6
5568						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5569#else
5570						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5571#endif
5572						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5573						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5574					}
5575				}
5576				if (op_err) {
5577					/* If we have space */
5578					struct sctp_paramhdr s;
5579
5580					if (err_at % 4) {
5581						uint32_t cpthis = 0;
5582
5583						pad_needed = 4 - (err_at % 4);
5584						m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
5585						err_at += pad_needed;
5586					}
5587					s.param_type = htons(SCTP_UNRECOG_PARAM);
5588					s.param_length = htons(sizeof(s) + plen);
5589					m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
5590					err_at += sizeof(s);
5591					if (plen > sizeof(tempbuf)) {
5592						plen = sizeof(tempbuf);
5593					}
5594					phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, min(sizeof(tempbuf),plen));
5595					if (phdr == NULL) {
5596						sctp_m_freem(op_err);
5597						/*
5598						 * we are out of memory but
5599						 * we still need to have a
5600						 * look at what to do (the
5601						 * system is in trouble
5602						 * though).
5603						 */
5604						op_err = NULL;
5605						goto more_processing;
5606					}
5607					m_copyback(op_err, err_at, plen, (caddr_t)phdr);
5608					err_at += plen;
5609				}
5610			}
5611		more_processing:
5612			if ((ptype & 0x8000) == 0x0000) {
5613				SCTPDBG(SCTP_DEBUG_OUTPUT1, "stop proc\n");
5614				return (op_err);
5615			} else {
5616				/* skip this chunk and continue processing */
5617				SCTPDBG(SCTP_DEBUG_OUTPUT1, "move on\n");
5618				at += SCTP_SIZE32(plen);
5619			}
5620			break;
5621
5622		}
5623		phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
5624	}
5625	return (op_err);
5626 invalid_size:
5627	SCTPDBG(SCTP_DEBUG_OUTPUT1, "abort flag set\n");
5628	*abort_processing = 1;
5629	if ((op_err == NULL) && phdr) {
5630		int l_len;
5631#ifdef INET6
5632		l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5633#else
5634		l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5635#endif
5636		l_len += (2 * sizeof(struct sctp_paramhdr));
5637		op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5638		if (op_err) {
5639			SCTP_BUF_LEN(op_err) = 0;
5640#ifdef INET6
5641			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5642#else
5643			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5644#endif
5645			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5646			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5647		}
5648	}
5649	if ((op_err) && phdr) {
5650		struct sctp_paramhdr s;
5651
5652		if (err_at % 4) {
5653			uint32_t cpthis = 0;
5654
5655			pad_needed = 4 - (err_at % 4);
5656			m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
5657			err_at += pad_needed;
5658		}
5659		s.param_type = htons(SCTP_CAUSE_PROTOCOL_VIOLATION);
5660		s.param_length = htons(sizeof(s) + sizeof(struct sctp_paramhdr));
5661		m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
5662		err_at += sizeof(s);
5663		/* Only copy back the p-hdr that caused the issue */
5664		m_copyback(op_err, err_at, sizeof(struct sctp_paramhdr), (caddr_t)phdr);
5665	}
5666	return (op_err);
5667}
5668
5669static int
5670sctp_are_there_new_addresses(struct sctp_association *asoc,
5671    struct mbuf *in_initpkt, int offset, struct sockaddr *src)
5672{
5673	/*
5674	 * Given a INIT packet, look through the packet to verify that there
5675	 * are NO new addresses. As we go through the parameters add reports
5676	 * of any un-understood parameters that require an error.  Also we
5677	 * must return (1) to drop the packet if we see a un-understood
5678	 * parameter that tells us to drop the chunk.
5679	 */
5680	struct sockaddr *sa_touse;
5681	struct sockaddr *sa;
5682	struct sctp_paramhdr *phdr, params;
5683	uint16_t ptype, plen;
5684	uint8_t fnd;
5685	struct sctp_nets *net;
5686#ifdef INET
5687	struct sockaddr_in sin4, *sa4;
5688#endif
5689#ifdef INET6
5690	struct sockaddr_in6 sin6, *sa6;
5691#endif
5692
5693#ifdef INET
5694	memset(&sin4, 0, sizeof(sin4));
5695	sin4.sin_family = AF_INET;
5696#ifdef HAVE_SIN_LEN
5697	sin4.sin_len = sizeof(sin4);
5698#endif
5699#endif
5700#ifdef INET6
5701	memset(&sin6, 0, sizeof(sin6));
5702	sin6.sin6_family = AF_INET6;
5703#ifdef HAVE_SIN6_LEN
5704	sin6.sin6_len = sizeof(sin6);
5705#endif
5706#endif
5707	/* First what about the src address of the pkt ? */
5708	fnd = 0;
5709	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5710		sa = (struct sockaddr *)&net->ro._l_addr;
5711		if (sa->sa_family == src->sa_family) {
5712#ifdef INET
5713			if (sa->sa_family == AF_INET) {
5714				struct sockaddr_in *src4;
5715
5716				sa4 = (struct sockaddr_in *)sa;
5717				src4 = (struct sockaddr_in *)src;
5718				if (sa4->sin_addr.s_addr == src4->sin_addr.s_addr) {
5719					fnd = 1;
5720					break;
5721				}
5722			}
5723#endif
5724#ifdef INET6
5725			if (sa->sa_family == AF_INET6) {
5726				struct sockaddr_in6 *src6;
5727
5728				sa6 = (struct sockaddr_in6 *)sa;
5729				src6 = (struct sockaddr_in6 *)src;
5730				if (SCTP6_ARE_ADDR_EQUAL(sa6, src6)) {
5731					fnd = 1;
5732					break;
5733				}
5734			}
5735#endif
5736		}
5737	}
5738	if (fnd == 0) {
5739		/* New address added! no need to look futher. */
5740		return (1);
5741	}
5742	/* Ok so far lets munge through the rest of the packet */
5743	offset += sizeof(struct sctp_init_chunk);
5744	phdr = sctp_get_next_param(in_initpkt, offset, &params, sizeof(params));
5745	while (phdr) {
5746		sa_touse = NULL;
5747		ptype = ntohs(phdr->param_type);
5748		plen = ntohs(phdr->param_length);
5749		switch (ptype) {
5750#ifdef INET
5751		case SCTP_IPV4_ADDRESS:
5752		{
5753			struct sctp_ipv4addr_param *p4, p4_buf;
5754
5755			phdr = sctp_get_next_param(in_initpkt, offset,
5756			    (struct sctp_paramhdr *)&p4_buf, sizeof(p4_buf));
5757			if (plen != sizeof(struct sctp_ipv4addr_param) ||
5758			    phdr == NULL) {
5759				return (1);
5760			}
5761			p4 = (struct sctp_ipv4addr_param *)phdr;
5762			sin4.sin_addr.s_addr = p4->addr;
5763			sa_touse = (struct sockaddr *)&sin4;
5764			break;
5765		}
5766#endif
5767#ifdef INET6
5768		case SCTP_IPV6_ADDRESS:
5769		{
5770			struct sctp_ipv6addr_param *p6, p6_buf;
5771
5772			phdr = sctp_get_next_param(in_initpkt, offset,
5773			    (struct sctp_paramhdr *)&p6_buf, sizeof(p6_buf));
5774			if (plen != sizeof(struct sctp_ipv6addr_param) ||
5775			    phdr == NULL) {
5776				return (1);
5777			}
5778			p6 = (struct sctp_ipv6addr_param *)phdr;
5779			memcpy((caddr_t)&sin6.sin6_addr, p6->addr,
5780			    sizeof(p6->addr));
5781			sa_touse = (struct sockaddr *)&sin6;
5782			break;
5783		}
5784#endif
5785		default:
5786			sa_touse = NULL;
5787			break;
5788		}
5789		if (sa_touse) {
5790			/* ok, sa_touse points to one to check */
5791			fnd = 0;
5792			TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5793				sa = (struct sockaddr *)&net->ro._l_addr;
5794				if (sa->sa_family != sa_touse->sa_family) {
5795					continue;
5796				}
5797#ifdef INET
5798				if (sa->sa_family == AF_INET) {
5799					sa4 = (struct sockaddr_in *)sa;
5800					if (sa4->sin_addr.s_addr ==
5801					    sin4.sin_addr.s_addr) {
5802						fnd = 1;
5803						break;
5804					}
5805				}
5806#endif
5807#ifdef INET6
5808				if (sa->sa_family == AF_INET6) {
5809					sa6 = (struct sockaddr_in6 *)sa;
5810					if (SCTP6_ARE_ADDR_EQUAL(
5811					    sa6, &sin6)) {
5812						fnd = 1;
5813						break;
5814					}
5815				}
5816#endif
5817			}
5818			if (!fnd) {
5819				/* New addr added! no need to look further */
5820				return (1);
5821			}
5822		}
5823		offset += SCTP_SIZE32(plen);
5824		phdr = sctp_get_next_param(in_initpkt, offset, &params, sizeof(params));
5825	}
5826	return (0);
5827}
5828
5829/*
5830 * Given a MBUF chain that was sent into us containing an INIT. Build a
5831 * INIT-ACK with COOKIE and send back. We assume that the in_initpkt has done
5832 * a pullup to include IPv6/4header, SCTP header and initial part of INIT
5833 * message (i.e. the struct sctp_init_msg).
5834 */
5835void
5836sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
5837                       struct mbuf *init_pkt, int iphlen, int offset,
5838                       struct sockaddr *src, struct sockaddr *dst,
5839                       struct sctphdr *sh, struct sctp_init_chunk *init_chk,
5840#if defined(__FreeBSD__)
5841		       uint8_t use_mflowid, uint32_t mflowid,
5842#endif
5843                       uint32_t vrf_id, uint16_t port, int hold_inp_lock)
5844{
5845	struct sctp_association *asoc;
5846	struct mbuf *m, *m_tmp, *m_last, *m_cookie, *op_err;
5847	struct sctp_init_ack_chunk *initack;
5848	struct sctp_adaptation_layer_indication *ali;
5849	struct sctp_supported_chunk_types_param *pr_supported;
5850	struct sctp_paramhdr *ph;
5851	union sctp_sockstore *over_addr;
5852	struct sctp_scoping scp;
5853#ifdef INET
5854	struct sockaddr_in *dst4 = (struct sockaddr_in *)dst;
5855	struct sockaddr_in *src4 = (struct sockaddr_in *)src;
5856	struct sockaddr_in *sin;
5857#endif
5858#ifdef INET6
5859	struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)dst;
5860	struct sockaddr_in6 *src6 = (struct sockaddr_in6 *)src;
5861	struct sockaddr_in6 *sin6;
5862#endif
5863#if defined(__Userspace__)
5864	struct sockaddr_conn *dstconn = (struct sockaddr_conn *)dst;
5865	struct sockaddr_conn *srcconn = (struct sockaddr_conn *)src;
5866	struct sockaddr_conn *sconn;
5867#endif
5868	struct sockaddr *to;
5869	struct sctp_state_cookie stc;
5870	struct sctp_nets *net = NULL;
5871	uint8_t *signature = NULL;
5872	int cnt_inits_to = 0;
5873	uint16_t his_limit, i_want;
5874	int abort_flag;
5875	int nat_friendly = 0;
5876	struct socket *so;
5877	uint16_t num_ext, chunk_len, padding_len, parameter_len;
5878
5879	if (stcb) {
5880		asoc = &stcb->asoc;
5881	} else {
5882		asoc = NULL;
5883	}
5884	if ((asoc != NULL) &&
5885	    (SCTP_GET_STATE(asoc) != SCTP_STATE_COOKIE_WAIT) &&
5886	    (sctp_are_there_new_addresses(asoc, init_pkt, offset, src))) {
5887		/* new addresses, out of here in non-cookie-wait states */
5888		/*
5889		 * Send a ABORT, we don't add the new address error clause
5890		 * though we even set the T bit and copy in the 0 tag.. this
5891		 * looks no different than if no listener was present.
5892		 */
5893		op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5894		                             "Address added");
5895		sctp_send_abort(init_pkt, iphlen, src, dst, sh, 0, op_err,
5896#if defined(__FreeBSD__)
5897		                use_mflowid, mflowid,
5898#endif
5899		                vrf_id, port);
5900		return;
5901	}
5902	abort_flag = 0;
5903	op_err = sctp_arethere_unrecognized_parameters(init_pkt,
5904						       (offset + sizeof(struct sctp_init_chunk)),
5905						       &abort_flag, (struct sctp_chunkhdr *)init_chk, &nat_friendly);
5906	if (abort_flag) {
5907	do_a_abort:
5908		if (op_err == NULL) {
5909			char msg[SCTP_DIAG_INFO_LEN];
5910
5911			snprintf(msg, sizeof(msg), "%s:%d at %s\n", __FILE__, __LINE__, __FUNCTION__);
5912			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5913			                             msg);
5914		}
5915		sctp_send_abort(init_pkt, iphlen, src, dst, sh,
5916				init_chk->init.initiate_tag, op_err,
5917#if defined(__FreeBSD__)
5918		                use_mflowid, mflowid,
5919#endif
5920		                vrf_id, port);
5921		return;
5922	}
5923	m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
5924	if (m == NULL) {
5925		/* No memory, INIT timer will re-attempt. */
5926		if (op_err)
5927			sctp_m_freem(op_err);
5928		return;
5929	}
5930	chunk_len = (uint16_t)sizeof(struct sctp_init_ack_chunk);
5931	padding_len = 0;
5932
5933	/*
5934	 * We might not overwrite the identification[] completely and on
5935	 * some platforms time_entered will contain some padding.
5936	 * Therefore zero out the cookie to avoid putting
5937	 * uninitialized memory on the wire.
5938	 */
5939	memset(&stc, 0, sizeof(struct sctp_state_cookie));
5940
5941	/* the time I built cookie */
5942	(void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
5943
5944	/* populate any tie tags */
5945	if (asoc != NULL) {
5946		/* unlock before tag selections */
5947		stc.tie_tag_my_vtag = asoc->my_vtag_nonce;
5948		stc.tie_tag_peer_vtag = asoc->peer_vtag_nonce;
5949		stc.cookie_life = asoc->cookie_life;
5950		net = asoc->primary_destination;
5951	} else {
5952		stc.tie_tag_my_vtag = 0;
5953		stc.tie_tag_peer_vtag = 0;
5954		/* life I will award this cookie */
5955		stc.cookie_life = inp->sctp_ep.def_cookie_life;
5956	}
5957
5958	/* copy in the ports for later check */
5959	stc.myport = sh->dest_port;
5960	stc.peerport = sh->src_port;
5961
5962	/*
5963	 * If we wanted to honor cookie life extentions, we would add to
5964	 * stc.cookie_life. For now we should NOT honor any extension
5965	 */
5966	stc.site_scope = stc.local_scope = stc.loopback_scope = 0;
5967	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
5968		stc.ipv6_addr_legal = 1;
5969		if (SCTP_IPV6_V6ONLY(inp)) {
5970			stc.ipv4_addr_legal = 0;
5971		} else {
5972			stc.ipv4_addr_legal = 1;
5973		}
5974#if defined(__Userspace__)
5975		stc.conn_addr_legal = 0;
5976#endif
5977	} else {
5978		stc.ipv6_addr_legal = 0;
5979#if defined(__Userspace__)
5980		if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_CONN) {
5981			stc.conn_addr_legal = 1;
5982			stc.ipv4_addr_legal = 0;
5983		} else {
5984			stc.conn_addr_legal = 0;
5985			stc.ipv4_addr_legal = 1;
5986		}
5987#else
5988		stc.ipv4_addr_legal = 1;
5989#endif
5990	}
5991#ifdef SCTP_DONT_DO_PRIVADDR_SCOPE
5992	stc.ipv4_scope = 1;
5993#else
5994	stc.ipv4_scope = 0;
5995#endif
5996	if (net == NULL) {
5997		to = src;
5998		switch (dst->sa_family) {
5999#ifdef INET
6000		case AF_INET:
6001		{
6002			/* lookup address */
6003			stc.address[0] = src4->sin_addr.s_addr;
6004			stc.address[1] = 0;
6005			stc.address[2] = 0;
6006			stc.address[3] = 0;
6007			stc.addr_type = SCTP_IPV4_ADDRESS;
6008			/* local from address */
6009			stc.laddress[0] = dst4->sin_addr.s_addr;
6010			stc.laddress[1] = 0;
6011			stc.laddress[2] = 0;
6012			stc.laddress[3] = 0;
6013			stc.laddr_type = SCTP_IPV4_ADDRESS;
6014			/* scope_id is only for v6 */
6015			stc.scope_id = 0;
6016#ifndef SCTP_DONT_DO_PRIVADDR_SCOPE
6017			if (IN4_ISPRIVATE_ADDRESS(&src4->sin_addr)) {
6018				stc.ipv4_scope = 1;
6019			}
6020#else
6021			stc.ipv4_scope = 1;
6022#endif				/* SCTP_DONT_DO_PRIVADDR_SCOPE */
6023			/* Must use the address in this case */
6024			if (sctp_is_address_on_local_host(src, vrf_id)) {
6025				stc.loopback_scope = 1;
6026				stc.ipv4_scope = 1;
6027				stc.site_scope = 1;
6028				stc.local_scope = 0;
6029			}
6030			break;
6031		}
6032#endif
6033#ifdef INET6
6034		case AF_INET6:
6035		{
6036			stc.addr_type = SCTP_IPV6_ADDRESS;
6037			memcpy(&stc.address, &src6->sin6_addr, sizeof(struct in6_addr));
6038#if defined(__FreeBSD__) && (((__FreeBSD_version < 900000) && (__FreeBSD_version >= 804000)) || (__FreeBSD_version > 900000))
6039			stc.scope_id = in6_getscope(&src6->sin6_addr);
6040#else
6041			stc.scope_id = 0;
6042#endif
6043			if (sctp_is_address_on_local_host(src, vrf_id)) {
6044				stc.loopback_scope = 1;
6045				stc.local_scope = 0;
6046				stc.site_scope = 1;
6047				stc.ipv4_scope = 1;
6048			} else if (IN6_IS_ADDR_LINKLOCAL(&src6->sin6_addr)) {
6049				/*
6050				 * If the new destination is a LINK_LOCAL we
6051				 * must have common both site and local
6052				 * scope. Don't set local scope though since
6053				 * we must depend on the source to be added
6054				 * implicitly. We cannot assure just because
6055				 * we share one link that all links are
6056				 * common.
6057				 */
6058#if defined(__APPLE__)
6059				/* Mac OS X currently doesn't have in6_getscope() */
6060				stc.scope_id = src6->sin6_addr.s6_addr16[1];
6061#endif
6062				stc.local_scope = 0;
6063				stc.site_scope = 1;
6064				stc.ipv4_scope = 1;
6065				/*
6066				 * we start counting for the private address
6067				 * stuff at 1. since the link local we
6068				 * source from won't show up in our scoped
6069				 * count.
6070				 */
6071				cnt_inits_to = 1;
6072				/* pull out the scope_id from incoming pkt */
6073			} else if (IN6_IS_ADDR_SITELOCAL(&src6->sin6_addr)) {
6074				/*
6075				 * If the new destination is SITE_LOCAL then
6076				 * we must have site scope in common.
6077				 */
6078				stc.site_scope = 1;
6079			}
6080			memcpy(&stc.laddress, &dst6->sin6_addr, sizeof(struct in6_addr));
6081			stc.laddr_type = SCTP_IPV6_ADDRESS;
6082			break;
6083		}
6084#endif
6085#if defined(__Userspace__)
6086		case AF_CONN:
6087		{
6088			/* lookup address */
6089			stc.address[0] = 0;
6090			stc.address[1] = 0;
6091			stc.address[2] = 0;
6092			stc.address[3] = 0;
6093			memcpy(&stc.address, &srcconn->sconn_addr, sizeof(void *));
6094			stc.addr_type = SCTP_CONN_ADDRESS;
6095			/* local from address */
6096			stc.laddress[0] = 0;
6097			stc.laddress[1] = 0;
6098			stc.laddress[2] = 0;
6099			stc.laddress[3] = 0;
6100			memcpy(&stc.laddress, &dstconn->sconn_addr, sizeof(void *));
6101			stc.laddr_type = SCTP_CONN_ADDRESS;
6102			/* scope_id is only for v6 */
6103			stc.scope_id = 0;
6104			break;
6105		}
6106#endif
6107		default:
6108			/* TSNH */
6109			goto do_a_abort;
6110			break;
6111		}
6112	} else {
6113		/* set the scope per the existing tcb */
6114
6115#ifdef INET6
6116		struct sctp_nets *lnet;
6117#endif
6118
6119		stc.loopback_scope = asoc->scope.loopback_scope;
6120		stc.ipv4_scope = asoc->scope.ipv4_local_scope;
6121		stc.site_scope = asoc->scope.site_scope;
6122		stc.local_scope = asoc->scope.local_scope;
6123#ifdef INET6
6124		/* Why do we not consider IPv4 LL addresses? */
6125		TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
6126			if (lnet->ro._l_addr.sin6.sin6_family == AF_INET6) {
6127				if (IN6_IS_ADDR_LINKLOCAL(&lnet->ro._l_addr.sin6.sin6_addr)) {
6128					/*
6129					 * if we have a LL address, start
6130					 * counting at 1.
6131					 */
6132					cnt_inits_to = 1;
6133				}
6134			}
6135		}
6136#endif
6137		/* use the net pointer */
6138		to = (struct sockaddr *)&net->ro._l_addr;
6139		switch (to->sa_family) {
6140#ifdef INET
6141		case AF_INET:
6142			sin = (struct sockaddr_in *)to;
6143			stc.address[0] = sin->sin_addr.s_addr;
6144			stc.address[1] = 0;
6145			stc.address[2] = 0;
6146			stc.address[3] = 0;
6147			stc.addr_type = SCTP_IPV4_ADDRESS;
6148			if (net->src_addr_selected == 0) {
6149				/*
6150				 * strange case here, the INIT should have
6151				 * did the selection.
6152				 */
6153				net->ro._s_addr = sctp_source_address_selection(inp,
6154										stcb, (sctp_route_t *)&net->ro,
6155										net, 0, vrf_id);
6156				if (net->ro._s_addr == NULL)
6157					return;
6158
6159				net->src_addr_selected = 1;
6160
6161			}
6162			stc.laddress[0] = net->ro._s_addr->address.sin.sin_addr.s_addr;
6163			stc.laddress[1] = 0;
6164			stc.laddress[2] = 0;
6165			stc.laddress[3] = 0;
6166			stc.laddr_type = SCTP_IPV4_ADDRESS;
6167			/* scope_id is only for v6 */
6168			stc.scope_id = 0;
6169			break;
6170#endif
6171#ifdef INET6
6172		case AF_INET6:
6173			sin6 = (struct sockaddr_in6 *)to;
6174			memcpy(&stc.address, &sin6->sin6_addr,
6175			       sizeof(struct in6_addr));
6176			stc.addr_type = SCTP_IPV6_ADDRESS;
6177			stc.scope_id = sin6->sin6_scope_id;
6178			if (net->src_addr_selected == 0) {
6179				/*
6180				 * strange case here, the INIT should have
6181				 * done the selection.
6182				 */
6183				net->ro._s_addr = sctp_source_address_selection(inp,
6184										stcb, (sctp_route_t *)&net->ro,
6185										net, 0, vrf_id);
6186				if (net->ro._s_addr == NULL)
6187					return;
6188
6189				net->src_addr_selected = 1;
6190			}
6191			memcpy(&stc.laddress, &net->ro._s_addr->address.sin6.sin6_addr,
6192			       sizeof(struct in6_addr));
6193			stc.laddr_type = SCTP_IPV6_ADDRESS;
6194			break;
6195#endif
6196#if defined(__Userspace__)
6197		case AF_CONN:
6198			sconn = (struct sockaddr_conn *)to;
6199			stc.address[0] = 0;
6200			stc.address[1] = 0;
6201			stc.address[2] = 0;
6202			stc.address[3] = 0;
6203			memcpy(&stc.address, &sconn->sconn_addr, sizeof(void *));
6204			stc.addr_type = SCTP_CONN_ADDRESS;
6205			stc.laddress[0] = 0;
6206			stc.laddress[1] = 0;
6207			stc.laddress[2] = 0;
6208			stc.laddress[3] = 0;
6209			memcpy(&stc.laddress, &sconn->sconn_addr, sizeof(void *));
6210			stc.laddr_type = SCTP_CONN_ADDRESS;
6211			stc.scope_id = 0;
6212			break;
6213#endif
6214		}
6215	}
6216	/* Now lets put the SCTP header in place */
6217	initack = mtod(m, struct sctp_init_ack_chunk *);
6218	/* Save it off for quick ref */
6219	stc.peers_vtag = init_chk->init.initiate_tag;
6220	/* who are we */
6221	memcpy(stc.identification, SCTP_VERSION_STRING,
6222	       min(strlen(SCTP_VERSION_STRING), sizeof(stc.identification)));
6223	memset(stc.reserved, 0, SCTP_RESERVE_SPACE);
6224	/* now the chunk header */
6225	initack->ch.chunk_type = SCTP_INITIATION_ACK;
6226	initack->ch.chunk_flags = 0;
6227	/* fill in later from mbuf we build */
6228	initack->ch.chunk_length = 0;
6229	/* place in my tag */
6230	if ((asoc != NULL) &&
6231	    ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
6232	     (SCTP_GET_STATE(asoc) == SCTP_STATE_INUSE) ||
6233	     (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED))) {
6234		/* re-use the v-tags and init-seq here */
6235		initack->init.initiate_tag = htonl(asoc->my_vtag);
6236		initack->init.initial_tsn = htonl(asoc->init_seq_number);
6237	} else {
6238		uint32_t vtag, itsn;
6239		if (hold_inp_lock) {
6240			SCTP_INP_INCR_REF(inp);
6241			SCTP_INP_RUNLOCK(inp);
6242		}
6243		if (asoc) {
6244			atomic_add_int(&asoc->refcnt, 1);
6245			SCTP_TCB_UNLOCK(stcb);
6246		new_tag:
6247			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
6248			if ((asoc->peer_supports_nat)  && (vtag == asoc->my_vtag)) {
6249				/* Got a duplicate vtag on some guy behind a nat
6250				 * make sure we don't use it.
6251				 */
6252				goto new_tag;
6253			}
6254			initack->init.initiate_tag = htonl(vtag);
6255			/* get a TSN to use too */
6256			itsn = sctp_select_initial_TSN(&inp->sctp_ep);
6257			initack->init.initial_tsn = htonl(itsn);
6258			SCTP_TCB_LOCK(stcb);
6259			atomic_add_int(&asoc->refcnt, -1);
6260		} else {
6261			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
6262			initack->init.initiate_tag = htonl(vtag);
6263			/* get a TSN to use too */
6264			initack->init.initial_tsn = htonl(sctp_select_initial_TSN(&inp->sctp_ep));
6265		}
6266		if (hold_inp_lock) {
6267			SCTP_INP_RLOCK(inp);
6268			SCTP_INP_DECR_REF(inp);
6269		}
6270	}
6271	/* save away my tag to */
6272	stc.my_vtag = initack->init.initiate_tag;
6273
6274	/* set up some of the credits. */
6275	so = inp->sctp_socket;
6276	if (so == NULL) {
6277		/* memory problem */
6278		sctp_m_freem(m);
6279		return;
6280	} else {
6281		initack->init.a_rwnd = htonl(max(SCTP_SB_LIMIT_RCV(so), SCTP_MINIMAL_RWND));
6282	}
6283	/* set what I want */
6284	his_limit = ntohs(init_chk->init.num_inbound_streams);
6285	/* choose what I want */
6286	if (asoc != NULL) {
6287		if (asoc->streamoutcnt > inp->sctp_ep.pre_open_stream_count) {
6288			i_want = asoc->streamoutcnt;
6289		} else {
6290			i_want = inp->sctp_ep.pre_open_stream_count;
6291		}
6292	} else {
6293		i_want = inp->sctp_ep.pre_open_stream_count;
6294	}
6295	if (his_limit < i_want) {
6296		/* I Want more :< */
6297		initack->init.num_outbound_streams = init_chk->init.num_inbound_streams;
6298	} else {
6299		/* I can have what I want :> */
6300		initack->init.num_outbound_streams = htons(i_want);
6301	}
6302	/* tell him his limit. */
6303	initack->init.num_inbound_streams =
6304		htons(inp->sctp_ep.max_open_streams_intome);
6305
6306	/* adaptation layer indication parameter */
6307	if (inp->sctp_ep.adaptation_layer_indicator_provided) {
6308		parameter_len = (uint16_t)sizeof(struct sctp_adaptation_layer_indication);
6309		ali = (struct sctp_adaptation_layer_indication *)(mtod(m, caddr_t) + chunk_len);
6310		ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
6311		ali->ph.param_length = htons(parameter_len);
6312		ali->indication = htonl(inp->sctp_ep.adaptation_layer_indicator);
6313		chunk_len += parameter_len;
6314	}
6315
6316	/* ECN parameter */
6317	if (((asoc != NULL) && (asoc->ecn_supported == 1)) ||
6318	    ((asoc == NULL) && (inp->ecn_supported == 1))) {
6319		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
6320		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
6321		ph->param_type = htons(SCTP_ECN_CAPABLE);
6322		ph->param_length = htons(parameter_len);
6323		chunk_len += parameter_len;
6324	}
6325
6326	/* PR-SCTP supported parameter */
6327	if (((asoc != NULL) && (asoc->prsctp_supported == 1)) ||
6328	    ((asoc == NULL) && (inp->prsctp_supported == 1))) {
6329		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
6330		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
6331		ph->param_type = htons(SCTP_PRSCTP_SUPPORTED);
6332		ph->param_length = htons(parameter_len);
6333		chunk_len += parameter_len;
6334	}
6335
6336	/* Add NAT friendly parameter */
6337	if (nat_friendly) {
6338		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
6339		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
6340		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
6341		ph->param_length = htons(parameter_len);
6342		chunk_len += parameter_len;
6343	}
6344
6345	/* And now tell the peer which extensions we support */
6346	num_ext = 0;
6347	pr_supported = (struct sctp_supported_chunk_types_param *)(mtod(m, caddr_t) + chunk_len);
6348	if (((asoc != NULL) && (asoc->prsctp_supported == 1)) ||
6349	    ((asoc == NULL) && (inp->prsctp_supported == 1))) {
6350		pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
6351	}
6352	if (((asoc != NULL) && (asoc->auth_supported == 1)) ||
6353	    ((asoc == NULL) && (inp->auth_supported == 1))) {
6354		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
6355	}
6356	if (((asoc != NULL) && (asoc->asconf_supported == 1)) ||
6357	    ((asoc == NULL) && (inp->asconf_supported == 1))) {
6358		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
6359		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
6360	}
6361	if (((asoc != NULL) && (asoc->reconfig_supported == 1)) ||
6362	    ((asoc == NULL) && (inp->reconfig_supported == 1))) {
6363		pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
6364	}
6365	if (((asoc != NULL) && (asoc->nrsack_supported == 1)) ||
6366	    ((asoc == NULL) && (inp->nrsack_supported == 1))) {
6367		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
6368	}
6369	if (((asoc != NULL) && (asoc->pktdrop_supported == 1)) ||
6370	    ((asoc == NULL) && (inp->pktdrop_supported == 1))) {
6371		pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
6372	}
6373	if (num_ext > 0) {
6374		parameter_len = (uint16_t)sizeof(struct sctp_supported_chunk_types_param) + num_ext;
6375		pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
6376		pr_supported->ph.param_length = htons(parameter_len);
6377		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6378		chunk_len += parameter_len;
6379	}
6380
6381	/* add authentication parameters */
6382	if (((asoc != NULL) && (asoc->auth_supported == 1)) ||
6383	    ((asoc == NULL) && (inp->auth_supported == 1))) {
6384		struct sctp_auth_random *randp;
6385		struct sctp_auth_hmac_algo *hmacs;
6386		struct sctp_auth_chunk_list *chunks;
6387
6388		if (padding_len > 0) {
6389			memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
6390			chunk_len += padding_len;
6391			padding_len = 0;
6392		}
6393		/* generate and add RANDOM parameter */
6394		randp = (struct sctp_auth_random *)(mtod(m, caddr_t) + chunk_len);
6395		parameter_len = (uint16_t)sizeof(struct sctp_auth_random) +
6396		                SCTP_AUTH_RANDOM_SIZE_DEFAULT;
6397		randp->ph.param_type = htons(SCTP_RANDOM);
6398		randp->ph.param_length = htons(parameter_len);
6399		SCTP_READ_RANDOM(randp->random_data, SCTP_AUTH_RANDOM_SIZE_DEFAULT);
6400		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6401		chunk_len += parameter_len;
6402
6403		if (padding_len > 0) {
6404			memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
6405			chunk_len += padding_len;
6406			padding_len = 0;
6407		}
6408		/* add HMAC_ALGO parameter */
6409		hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t) + chunk_len);
6410		parameter_len = (uint16_t)sizeof(struct sctp_auth_hmac_algo) +
6411		                sctp_serialize_hmaclist(inp->sctp_ep.local_hmacs,
6412		                                        (uint8_t *)hmacs->hmac_ids);
6413		hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
6414		hmacs->ph.param_length = htons(parameter_len);
6415		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6416		chunk_len += parameter_len;
6417
6418		if (padding_len > 0) {
6419			memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
6420			chunk_len += padding_len;
6421			padding_len = 0;
6422		}
6423		/* add CHUNKS parameter */
6424		chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t) + chunk_len);
6425		parameter_len = (uint16_t)sizeof(struct sctp_auth_chunk_list) +
6426		                sctp_serialize_auth_chunks(inp->sctp_ep.local_auth_chunks,
6427		                                           chunks->chunk_types);
6428		chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
6429		chunks->ph.param_length = htons(parameter_len);
6430		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6431		chunk_len += parameter_len;
6432	}
6433	SCTP_BUF_LEN(m) = chunk_len;
6434	m_last = m;
6435	/* now the addresses */
6436	/* To optimize this we could put the scoping stuff
6437	 * into a structure and remove the individual uint8's from
6438	 * the stc structure. Then we could just sifa in the
6439	 * address within the stc.. but for now this is a quick
6440	 * hack to get the address stuff teased apart.
6441	 */
6442	scp.ipv4_addr_legal = stc.ipv4_addr_legal;
6443	scp.ipv6_addr_legal = stc.ipv6_addr_legal;
6444#if defined(__Userspace__)
6445	scp.conn_addr_legal = stc.conn_addr_legal;
6446#endif
6447	scp.loopback_scope = stc.loopback_scope;
6448	scp.ipv4_local_scope = stc.ipv4_scope;
6449	scp.local_scope = stc.local_scope;
6450	scp.site_scope = stc.site_scope;
6451	m_last = sctp_add_addresses_to_i_ia(inp, stcb, &scp, m_last,
6452	                                    cnt_inits_to,
6453	                                    &padding_len, &chunk_len);
6454	/* padding_len can only be positive, if no addresses have been added */
6455	if (padding_len > 0) {
6456		memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
6457		chunk_len += padding_len;
6458		SCTP_BUF_LEN(m) += padding_len;
6459		padding_len = 0;
6460	}
6461
6462	/* tack on the operational error if present */
6463	if (op_err) {
6464		parameter_len = 0;
6465		for (m_tmp = op_err; m_tmp != NULL; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
6466			parameter_len += SCTP_BUF_LEN(m_tmp);
6467		}
6468		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6469		SCTP_BUF_NEXT(m_last) = op_err;
6470		while (SCTP_BUF_NEXT(m_last) != NULL) {
6471			m_last = SCTP_BUF_NEXT(m_last);
6472		}
6473		chunk_len += parameter_len;
6474	}
6475	if (padding_len > 0) {
6476		m_last = sctp_add_pad_tombuf(m_last, padding_len);
6477		if (m_last == NULL) {
6478			/* Houston we have a problem, no space */
6479			sctp_m_freem(m);
6480			return;
6481		}
6482		chunk_len += padding_len;
6483		padding_len = 0;
6484	}
6485	/* Now we must build a cookie */
6486	m_cookie = sctp_add_cookie(init_pkt, offset, m, 0, &stc, &signature);
6487	if (m_cookie == NULL) {
6488		/* memory problem */
6489		sctp_m_freem(m);
6490		return;
6491	}
6492	/* Now append the cookie to the end and update the space/size */
6493	SCTP_BUF_NEXT(m_last) = m_cookie;
6494	parameter_len = 0;
6495	for (m_tmp = m_cookie; m_tmp != NULL; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
6496		parameter_len += SCTP_BUF_LEN(m_tmp);
6497		if (SCTP_BUF_NEXT(m_tmp) == NULL) {
6498			m_last = m_tmp;
6499		}
6500	}
6501	padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6502	chunk_len += parameter_len;
6503
6504	/* Place in the size, but we don't include
6505	 * the last pad (if any) in the INIT-ACK.
6506	 */
6507	initack->ch.chunk_length = htons(chunk_len);
6508
6509	/* Time to sign the cookie, we don't sign over the cookie
6510	 * signature though thus we set trailer.
6511	 */
6512	(void)sctp_hmac_m(SCTP_HMAC,
6513			  (uint8_t *)inp->sctp_ep.secret_key[(int)(inp->sctp_ep.current_secret_number)],
6514			  SCTP_SECRET_SIZE, m_cookie, sizeof(struct sctp_paramhdr),
6515			  (uint8_t *)signature, SCTP_SIGNATURE_SIZE);
6516	/*
6517	 * We sifa 0 here to NOT set IP_DF if its IPv4, we ignore the return
6518	 * here since the timer will drive a retranmission.
6519	 */
6520	if (padding_len > 0) {
6521		if (sctp_add_pad_tombuf(m_last, padding_len) == NULL) {
6522			sctp_m_freem(m);
6523			return;
6524		}
6525	}
6526	if (stc.loopback_scope) {
6527		over_addr = (union sctp_sockstore *)dst;
6528	} else {
6529		over_addr = NULL;
6530	}
6531
6532	(void)sctp_lowlevel_chunk_output(inp, NULL, NULL, to, m, 0, NULL, 0, 0,
6533	                                 0, 0,
6534	                                 inp->sctp_lport, sh->src_port, init_chk->init.initiate_tag,
6535	                                 port, over_addr,
6536#if defined(__FreeBSD__)
6537	                                 use_mflowid, mflowid,
6538#endif
6539	                                 SCTP_SO_NOT_LOCKED);
6540	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
6541}
6542
6543
6544static void
6545sctp_prune_prsctp(struct sctp_tcb *stcb,
6546    struct sctp_association *asoc,
6547    struct sctp_sndrcvinfo *srcv,
6548    int dataout)
6549{
6550	int freed_spc = 0;
6551	struct sctp_tmit_chunk *chk, *nchk;
6552
6553	SCTP_TCB_LOCK_ASSERT(stcb);
6554	if ((asoc->prsctp_supported) &&
6555	    (asoc->sent_queue_cnt_removeable > 0)) {
6556		TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
6557			/*
6558			 * Look for chunks marked with the PR_SCTP flag AND
6559			 * the buffer space flag. If the one being sent is
6560			 * equal or greater priority then purge the old one
6561			 * and free some space.
6562			 */
6563			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
6564				/*
6565				 * This one is PR-SCTP AND buffer space
6566				 * limited type
6567				 */
6568				if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) {
6569					/*
6570					 * Lower numbers equates to higher
6571					 * priority so if the one we are
6572					 * looking at has a larger or equal
6573					 * priority we want to drop the data
6574					 * and NOT retransmit it.
6575					 */
6576					if (chk->data) {
6577						/*
6578						 * We release the book_size
6579						 * if the mbuf is here
6580						 */
6581						int ret_spc;
6582						uint8_t sent;
6583
6584						if (chk->sent > SCTP_DATAGRAM_UNSENT)
6585							sent = 1;
6586						else
6587							sent = 0;
6588						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
6589						    sent,
6590						    SCTP_SO_LOCKED);
6591						freed_spc += ret_spc;
6592						if (freed_spc >= dataout) {
6593							return;
6594						}
6595					}	/* if chunk was present */
6596				}	/* if of sufficent priority */
6597			}	/* if chunk has enabled */
6598		}		/* tailqforeach */
6599
6600		TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
6601			/* Here we must move to the sent queue and mark */
6602			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
6603				if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) {
6604					if (chk->data) {
6605						/*
6606						 * We release the book_size
6607						 * if the mbuf is here
6608						 */
6609						int ret_spc;
6610
6611						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
6612						    0, SCTP_SO_LOCKED);
6613
6614						freed_spc += ret_spc;
6615						if (freed_spc >= dataout) {
6616							return;
6617						}
6618					}	/* end if chk->data */
6619				}	/* end if right class */
6620			}	/* end if chk pr-sctp */
6621		}		/* tailqforeachsafe (chk) */
6622	}			/* if enabled in asoc */
6623}
6624
6625int
6626sctp_get_frag_point(struct sctp_tcb *stcb,
6627    struct sctp_association *asoc)
6628{
6629	int siz, ovh;
6630
6631	/*
6632	 * For endpoints that have both v6 and v4 addresses we must reserve
6633	 * room for the ipv6 header, for those that are only dealing with V4
6634	 * we use a larger frag point.
6635	 */
6636	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
6637		ovh = SCTP_MED_OVERHEAD;
6638	} else {
6639		ovh = SCTP_MED_V4_OVERHEAD;
6640	}
6641
6642	if (stcb->asoc.sctp_frag_point > asoc->smallest_mtu)
6643		siz = asoc->smallest_mtu - ovh;
6644	else
6645		siz = (stcb->asoc.sctp_frag_point - ovh);
6646	/*
6647	 * if (siz > (MCLBYTES-sizeof(struct sctp_data_chunk))) {
6648	 */
6649	/* A data chunk MUST fit in a cluster */
6650	/* siz = (MCLBYTES - sizeof(struct sctp_data_chunk)); */
6651	/* } */
6652
6653	/* adjust for an AUTH chunk if DATA requires auth */
6654	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks))
6655		siz -= sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
6656
6657	if (siz % 4) {
6658		/* make it an even word boundary please */
6659		siz -= (siz % 4);
6660	}
6661	return (siz);
6662}
6663
6664static void
6665sctp_set_prsctp_policy(struct sctp_stream_queue_pending *sp)
6666{
6667	/*
6668	 * We assume that the user wants PR_SCTP_TTL if the user
6669	 * provides a positive lifetime but does not specify any
6670	 * PR_SCTP policy.
6671	 */
6672	if (PR_SCTP_ENABLED(sp->sinfo_flags)) {
6673		sp->act_flags |= PR_SCTP_POLICY(sp->sinfo_flags);
6674	} else if (sp->timetolive > 0) {
6675		sp->sinfo_flags |= SCTP_PR_SCTP_TTL;
6676		sp->act_flags |= PR_SCTP_POLICY(sp->sinfo_flags);
6677	} else {
6678		return;
6679	}
6680	switch (PR_SCTP_POLICY(sp->sinfo_flags)) {
6681	case CHUNK_FLAGS_PR_SCTP_BUF:
6682		/*
6683		 * Time to live is a priority stored in tv_sec when
6684		 * doing the buffer drop thing.
6685		 */
6686		sp->ts.tv_sec = sp->timetolive;
6687		sp->ts.tv_usec = 0;
6688		break;
6689	case CHUNK_FLAGS_PR_SCTP_TTL:
6690	{
6691		struct timeval tv;
6692		(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
6693		tv.tv_sec = sp->timetolive / 1000;
6694		tv.tv_usec = (sp->timetolive * 1000) % 1000000;
6695		/* TODO sctp_constants.h needs alternative time macros when
6696		 *  _KERNEL is undefined.
6697		 */
6698#ifndef __FreeBSD__
6699		timeradd(&sp->ts, &tv, &sp->ts);
6700#else
6701		timevaladd(&sp->ts, &tv);
6702#endif
6703	}
6704		break;
6705	case CHUNK_FLAGS_PR_SCTP_RTX:
6706		/*
6707		 * Time to live is a the number or retransmissions
6708		 * stored in tv_sec.
6709		 */
6710		sp->ts.tv_sec = sp->timetolive;
6711		sp->ts.tv_usec = 0;
6712		break;
6713	default:
6714		SCTPDBG(SCTP_DEBUG_USRREQ1,
6715			"Unknown PR_SCTP policy %u.\n",
6716			PR_SCTP_POLICY(sp->sinfo_flags));
6717		break;
6718	}
6719}
6720
6721static int
6722sctp_msg_append(struct sctp_tcb *stcb,
6723		struct sctp_nets *net,
6724		struct mbuf *m,
6725		struct sctp_sndrcvinfo *srcv, int hold_stcb_lock)
6726{
6727	int error = 0;
6728	struct mbuf *at;
6729	struct sctp_stream_queue_pending *sp = NULL;
6730	struct sctp_stream_out *strm;
6731
6732	/* Given an mbuf chain, put it
6733	 * into the association send queue and
6734	 * place it on the wheel
6735	 */
6736	if (srcv->sinfo_stream >= stcb->asoc.streamoutcnt) {
6737		/* Invalid stream number */
6738		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
6739		error = EINVAL;
6740		goto out_now;
6741	}
6742	if ((stcb->asoc.stream_locked) &&
6743	    (stcb->asoc.stream_locked_on != srcv->sinfo_stream)) {
6744		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
6745		error = EINVAL;
6746		goto out_now;
6747	}
6748	strm = &stcb->asoc.strmout[srcv->sinfo_stream];
6749	/* Now can we send this? */
6750	if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
6751	    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
6752	    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
6753	    (stcb->asoc.state & SCTP_STATE_SHUTDOWN_PENDING)) {
6754		/* got data while shutting down */
6755		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
6756		error = ECONNRESET;
6757		goto out_now;
6758	}
6759	sctp_alloc_a_strmoq(stcb, sp);
6760	if (sp == NULL) {
6761		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6762		error = ENOMEM;
6763		goto out_now;
6764	}
6765	sp->sinfo_flags = srcv->sinfo_flags;
6766	sp->timetolive = srcv->sinfo_timetolive;
6767	sp->ppid = srcv->sinfo_ppid;
6768	sp->context = srcv->sinfo_context;
6769	if (sp->sinfo_flags & SCTP_ADDR_OVER) {
6770		sp->net = net;
6771		atomic_add_int(&sp->net->ref_count, 1);
6772	} else {
6773		sp->net = NULL;
6774	}
6775	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
6776	sp->stream = srcv->sinfo_stream;
6777	sp->msg_is_complete = 1;
6778	sp->sender_all_done = 1;
6779	sp->some_taken = 0;
6780	sp->data = m;
6781	sp->tail_mbuf = NULL;
6782	sctp_set_prsctp_policy(sp);
6783	/* We could in theory (for sendall) sifa the length
6784	 * in, but we would still have to hunt through the
6785	 * chain since we need to setup the tail_mbuf
6786	 */
6787	sp->length = 0;
6788	for (at = m; at; at = SCTP_BUF_NEXT(at)) {
6789		if (SCTP_BUF_NEXT(at) == NULL)
6790			sp->tail_mbuf = at;
6791		sp->length += SCTP_BUF_LEN(at);
6792	}
6793	if (srcv->sinfo_keynumber_valid) {
6794		sp->auth_keyid = srcv->sinfo_keynumber;
6795	} else {
6796		sp->auth_keyid = stcb->asoc.authinfo.active_keyid;
6797	}
6798	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks)) {
6799		sctp_auth_key_acquire(stcb, sp->auth_keyid);
6800		sp->holds_key_ref = 1;
6801	}
6802	if (hold_stcb_lock == 0) {
6803		SCTP_TCB_SEND_LOCK(stcb);
6804	}
6805	sctp_snd_sb_alloc(stcb, sp->length);
6806	atomic_add_int(&stcb->asoc.stream_queue_cnt, 1);
6807	TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
6808	stcb->asoc.ss_functions.sctp_ss_add_to_stream(stcb, &stcb->asoc, strm, sp, 1);
6809	m = NULL;
6810	if (hold_stcb_lock == 0) {
6811		SCTP_TCB_SEND_UNLOCK(stcb);
6812	}
6813out_now:
6814	if (m) {
6815		sctp_m_freem(m);
6816	}
6817	return (error);
6818}
6819
6820
6821static struct mbuf *
6822sctp_copy_mbufchain(struct mbuf *clonechain,
6823		    struct mbuf *outchain,
6824		    struct mbuf **endofchain,
6825		    int can_take_mbuf,
6826		    int sizeofcpy,
6827		    uint8_t copy_by_ref)
6828{
6829	struct mbuf *m;
6830	struct mbuf *appendchain;
6831	caddr_t cp;
6832	int len;
6833
6834	if (endofchain == NULL) {
6835		/* error */
6836	error_out:
6837		if (outchain)
6838			sctp_m_freem(outchain);
6839		return (NULL);
6840	}
6841	if (can_take_mbuf) {
6842		appendchain = clonechain;
6843	} else {
6844		if (!copy_by_ref &&
6845#if defined(__Panda__)
6846		    0
6847#else
6848		    (sizeofcpy <= (int)((((SCTP_BASE_SYSCTL(sctp_mbuf_threshold_count) - 1) * MLEN) + MHLEN)))
6849#endif
6850		    ) {
6851			/* Its not in a cluster */
6852			if (*endofchain == NULL) {
6853				/* lets get a mbuf cluster */
6854				if (outchain == NULL) {
6855					/* This is the general case */
6856				new_mbuf:
6857					outchain = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_HEADER);
6858					if (outchain == NULL) {
6859						goto error_out;
6860					}
6861					SCTP_BUF_LEN(outchain) = 0;
6862					*endofchain = outchain;
6863					/* get the prepend space */
6864					SCTP_BUF_RESV_UF(outchain, (SCTP_FIRST_MBUF_RESV+4));
6865				} else {
6866					/* We really should not get a NULL in endofchain */
6867					/* find end */
6868					m = outchain;
6869					while (m) {
6870						if (SCTP_BUF_NEXT(m) == NULL) {
6871							*endofchain = m;
6872							break;
6873						}
6874						m = SCTP_BUF_NEXT(m);
6875					}
6876					/* sanity */
6877					if (*endofchain == NULL) {
6878						/* huh, TSNH XXX maybe we should panic */
6879						sctp_m_freem(outchain);
6880						goto new_mbuf;
6881					}
6882				}
6883				/* get the new end of length */
6884				len = M_TRAILINGSPACE(*endofchain);
6885			} else {
6886				/* how much is left at the end? */
6887				len = M_TRAILINGSPACE(*endofchain);
6888			}
6889			/* Find the end of the data, for appending */
6890			cp = (mtod((*endofchain), caddr_t) + SCTP_BUF_LEN((*endofchain)));
6891
6892			/* Now lets copy it out */
6893			if (len >= sizeofcpy) {
6894				/* It all fits, copy it in */
6895				m_copydata(clonechain, 0, sizeofcpy, cp);
6896				SCTP_BUF_LEN((*endofchain)) += sizeofcpy;
6897			} else {
6898				/* fill up the end of the chain */
6899				if (len > 0) {
6900					m_copydata(clonechain, 0, len, cp);
6901					SCTP_BUF_LEN((*endofchain)) += len;
6902					/* now we need another one */
6903					sizeofcpy -= len;
6904				}
6905				m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_HEADER);
6906				if (m == NULL) {
6907					/* We failed */
6908					goto error_out;
6909				}
6910				SCTP_BUF_NEXT((*endofchain)) = m;
6911				*endofchain = m;
6912				cp = mtod((*endofchain), caddr_t);
6913				m_copydata(clonechain, len, sizeofcpy, cp);
6914				SCTP_BUF_LEN((*endofchain)) += sizeofcpy;
6915			}
6916			return (outchain);
6917		} else {
6918			/* copy the old fashion way */
6919			appendchain = SCTP_M_COPYM(clonechain, 0, M_COPYALL, M_NOWAIT);
6920#ifdef SCTP_MBUF_LOGGING
6921			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6922				struct mbuf *mat;
6923
6924				for (mat = appendchain; mat; mat = SCTP_BUF_NEXT(mat)) {
6925					if (SCTP_BUF_IS_EXTENDED(mat)) {
6926						sctp_log_mb(mat, SCTP_MBUF_ICOPY);
6927					}
6928				}
6929			}
6930#endif
6931		}
6932	}
6933	if (appendchain == NULL) {
6934		/* error */
6935		if (outchain)
6936			sctp_m_freem(outchain);
6937		return (NULL);
6938	}
6939	if (outchain) {
6940		/* tack on to the end */
6941		if (*endofchain != NULL) {
6942			SCTP_BUF_NEXT(((*endofchain))) = appendchain;
6943		} else {
6944			m = outchain;
6945			while (m) {
6946				if (SCTP_BUF_NEXT(m) == NULL) {
6947					SCTP_BUF_NEXT(m) = appendchain;
6948					break;
6949				}
6950				m = SCTP_BUF_NEXT(m);
6951			}
6952		}
6953		/*
6954		 * save off the end and update the end-chain
6955		 * postion
6956		 */
6957		m = appendchain;
6958		while (m) {
6959			if (SCTP_BUF_NEXT(m) == NULL) {
6960				*endofchain = m;
6961				break;
6962			}
6963			m = SCTP_BUF_NEXT(m);
6964		}
6965		return (outchain);
6966	} else {
6967		/* save off the end and update the end-chain postion */
6968		m = appendchain;
6969		while (m) {
6970			if (SCTP_BUF_NEXT(m) == NULL) {
6971				*endofchain = m;
6972				break;
6973			}
6974			m = SCTP_BUF_NEXT(m);
6975		}
6976		return (appendchain);
6977	}
6978}
6979
6980static int
6981sctp_med_chunk_output(struct sctp_inpcb *inp,
6982		      struct sctp_tcb *stcb,
6983		      struct sctp_association *asoc,
6984		      int *num_out,
6985		      int *reason_code,
6986		      int control_only, int from_where,
6987		      struct timeval *now, int *now_filled, int frag_point, int so_locked
6988#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
6989		      SCTP_UNUSED
6990#endif
6991                      );
6992
6993static void
6994sctp_sendall_iterator(struct sctp_inpcb *inp, struct sctp_tcb *stcb, void *ptr,
6995    uint32_t val SCTP_UNUSED)
6996{
6997	struct sctp_copy_all *ca;
6998	struct mbuf *m;
6999	int ret = 0;
7000	int added_control = 0;
7001	int un_sent, do_chunk_output = 1;
7002	struct sctp_association *asoc;
7003	struct sctp_nets *net;
7004
7005	ca = (struct sctp_copy_all *)ptr;
7006	if (ca->m == NULL) {
7007		return;
7008	}
7009	if (ca->inp != inp) {
7010		/* TSNH */
7011		return;
7012	}
7013	if (ca->sndlen > 0) {
7014		m = SCTP_M_COPYM(ca->m, 0, M_COPYALL, M_NOWAIT);
7015		if (m == NULL) {
7016			/* can't copy so we are done */
7017			ca->cnt_failed++;
7018			return;
7019		}
7020#ifdef SCTP_MBUF_LOGGING
7021		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
7022			struct mbuf *mat;
7023
7024			for (mat = m; mat; mat = SCTP_BUF_NEXT(mat)) {
7025				if (SCTP_BUF_IS_EXTENDED(mat)) {
7026					sctp_log_mb(mat, SCTP_MBUF_ICOPY);
7027				}
7028			}
7029		}
7030#endif
7031	} else {
7032		m = NULL;
7033	}
7034	SCTP_TCB_LOCK_ASSERT(stcb);
7035	if (stcb->asoc.alternate) {
7036		net = stcb->asoc.alternate;
7037	} else {
7038		net = stcb->asoc.primary_destination;
7039	}
7040	if (ca->sndrcv.sinfo_flags & SCTP_ABORT) {
7041		/* Abort this assoc with m as the user defined reason */
7042		if (m != NULL) {
7043			SCTP_BUF_PREPEND(m, sizeof(struct sctp_paramhdr), M_NOWAIT);
7044		} else {
7045			m = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
7046			                          0, M_NOWAIT, 1, MT_DATA);
7047			SCTP_BUF_LEN(m) = sizeof(struct sctp_paramhdr);
7048		}
7049		if (m != NULL) {
7050			struct sctp_paramhdr *ph;
7051
7052			ph = mtod(m, struct sctp_paramhdr *);
7053			ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
7054			ph->param_length = htons(sizeof(struct sctp_paramhdr) + ca->sndlen);
7055		}
7056		/* We add one here to keep the assoc from
7057		 * dis-appearing on us.
7058		 */
7059		atomic_add_int(&stcb->asoc.refcnt, 1);
7060		sctp_abort_an_association(inp, stcb, m, SCTP_SO_NOT_LOCKED);
7061		/* sctp_abort_an_association calls sctp_free_asoc()
7062		 * free association will NOT free it since we
7063		 * incremented the refcnt .. we do this to prevent
7064		 * it being freed and things getting tricky since
7065		 * we could end up (from free_asoc) calling inpcb_free
7066		 * which would get a recursive lock call to the
7067		 * iterator lock.. But as a consequence of that the
7068		 * stcb will return to us un-locked.. since free_asoc
7069		 * returns with either no TCB or the TCB unlocked, we
7070		 * must relock.. to unlock in the iterator timer :-0
7071		 */
7072		SCTP_TCB_LOCK(stcb);
7073		atomic_add_int(&stcb->asoc.refcnt, -1);
7074		goto no_chunk_output;
7075	} else {
7076		if (m) {
7077			ret = sctp_msg_append(stcb, net, m,
7078					      &ca->sndrcv, 1);
7079		}
7080		asoc = &stcb->asoc;
7081		if (ca->sndrcv.sinfo_flags & SCTP_EOF) {
7082			/* shutdown this assoc */
7083			int cnt;
7084			cnt = sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED);
7085
7086			if (TAILQ_EMPTY(&asoc->send_queue) &&
7087			    TAILQ_EMPTY(&asoc->sent_queue) &&
7088			    (cnt == 0)) {
7089				if (asoc->locked_on_sending) {
7090					goto abort_anyway;
7091				}
7092				/* there is nothing queued to send, so I'm done... */
7093				if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
7094				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
7095				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
7096					/* only send SHUTDOWN the first time through */
7097					if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
7098						SCTP_STAT_DECR_GAUGE32(sctps_currestab);
7099					}
7100					SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
7101					SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
7102					sctp_stop_timers_for_shutdown(stcb);
7103					sctp_send_shutdown(stcb, net);
7104					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
7105							 net);
7106					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
7107							 asoc->primary_destination);
7108					added_control = 1;
7109					do_chunk_output = 0;
7110				}
7111			} else {
7112				/*
7113				 * we still got (or just got) data to send, so set
7114				 * SHUTDOWN_PENDING
7115				 */
7116				/*
7117				 * XXX sockets draft says that SCTP_EOF should be
7118				 * sent with no data.  currently, we will allow user
7119				 * data to be sent first and move to
7120				 * SHUTDOWN-PENDING
7121				 */
7122				if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
7123				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
7124				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
7125					if (asoc->locked_on_sending) {
7126						/* Locked to send out the data */
7127						struct sctp_stream_queue_pending *sp;
7128						sp = TAILQ_LAST(&asoc->locked_on_sending->outqueue, sctp_streamhead);
7129						if (sp) {
7130							if ((sp->length == 0) && (sp->msg_is_complete == 0))
7131								asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
7132						}
7133					}
7134					asoc->state |= SCTP_STATE_SHUTDOWN_PENDING;
7135					if (TAILQ_EMPTY(&asoc->send_queue) &&
7136					    TAILQ_EMPTY(&asoc->sent_queue) &&
7137					    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
7138					abort_anyway:
7139						atomic_add_int(&stcb->asoc.refcnt, 1);
7140						sctp_abort_an_association(stcb->sctp_ep, stcb,
7141									  NULL, SCTP_SO_NOT_LOCKED);
7142						atomic_add_int(&stcb->asoc.refcnt, -1);
7143						goto no_chunk_output;
7144					}
7145					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
7146							 asoc->primary_destination);
7147				}
7148			}
7149
7150		}
7151	}
7152	un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
7153		   (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
7154
7155	if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
7156	    (stcb->asoc.total_flight > 0) &&
7157	    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
7158		do_chunk_output = 0;
7159	}
7160	if (do_chunk_output)
7161		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_NOT_LOCKED);
7162	else if (added_control) {
7163		int num_out = 0, reason = 0, now_filled = 0;
7164		struct timeval now;
7165		int frag_point;
7166		frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
7167		(void)sctp_med_chunk_output(inp, stcb, &stcb->asoc, &num_out,
7168				      &reason, 1, 1, &now, &now_filled, frag_point, SCTP_SO_NOT_LOCKED);
7169	}
7170 no_chunk_output:
7171	if (ret) {
7172		ca->cnt_failed++;
7173	} else {
7174		ca->cnt_sent++;
7175	}
7176}
7177
7178static void
7179sctp_sendall_completes(void *ptr, uint32_t val SCTP_UNUSED)
7180{
7181	struct sctp_copy_all *ca;
7182
7183	ca = (struct sctp_copy_all *)ptr;
7184	/*
7185	 * Do a notify here? Kacheong suggests that the notify be done at
7186	 * the send time.. so you would push up a notification if any send
7187	 * failed. Don't know if this is feasable since the only failures we
7188	 * have is "memory" related and if you cannot get an mbuf to send
7189	 * the data you surely can't get an mbuf to send up to notify the
7190	 * user you can't send the data :->
7191	 */
7192
7193	/* now free everything */
7194	sctp_m_freem(ca->m);
7195	SCTP_FREE(ca, SCTP_M_COPYAL);
7196}
7197
7198
7199#define	MC_ALIGN(m, len) do {						\
7200	SCTP_BUF_RESV_UF(m, ((MCLBYTES - (len)) & ~(sizeof(long) - 1));	\
7201} while (0)
7202
7203
7204
7205static struct mbuf *
7206sctp_copy_out_all(struct uio *uio, int len)
7207{
7208	struct mbuf *ret, *at;
7209	int left, willcpy, cancpy, error;
7210
7211	ret = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_WAITOK, 1, MT_DATA);
7212	if (ret == NULL) {
7213		/* TSNH */
7214		return (NULL);
7215	}
7216	left = len;
7217	SCTP_BUF_LEN(ret) = 0;
7218	/* save space for the data chunk header */
7219	cancpy = M_TRAILINGSPACE(ret);
7220	willcpy = min(cancpy, left);
7221	at = ret;
7222	while (left > 0) {
7223		/* Align data to the end */
7224		error = uiomove(mtod(at, caddr_t), willcpy, uio);
7225		if (error) {
7226	err_out_now:
7227			sctp_m_freem(at);
7228			return (NULL);
7229		}
7230		SCTP_BUF_LEN(at) = willcpy;
7231		SCTP_BUF_NEXT_PKT(at) = SCTP_BUF_NEXT(at) = 0;
7232		left -= willcpy;
7233		if (left > 0) {
7234			SCTP_BUF_NEXT(at) = sctp_get_mbuf_for_msg(left, 0, M_WAITOK, 1, MT_DATA);
7235			if (SCTP_BUF_NEXT(at) == NULL) {
7236				goto err_out_now;
7237			}
7238			at = SCTP_BUF_NEXT(at);
7239			SCTP_BUF_LEN(at) = 0;
7240			cancpy = M_TRAILINGSPACE(at);
7241			willcpy = min(cancpy, left);
7242		}
7243	}
7244	return (ret);
7245}
7246
7247static int
7248sctp_sendall(struct sctp_inpcb *inp, struct uio *uio, struct mbuf *m,
7249    struct sctp_sndrcvinfo *srcv)
7250{
7251	int ret;
7252	struct sctp_copy_all *ca;
7253
7254	SCTP_MALLOC(ca, struct sctp_copy_all *, sizeof(struct sctp_copy_all),
7255		    SCTP_M_COPYAL);
7256	if (ca == NULL) {
7257		sctp_m_freem(m);
7258		SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
7259		return (ENOMEM);
7260	}
7261	memset(ca, 0, sizeof(struct sctp_copy_all));
7262
7263	ca->inp = inp;
7264	if (srcv) {
7265		memcpy(&ca->sndrcv, srcv, sizeof(struct sctp_nonpad_sndrcvinfo));
7266	}
7267	/*
7268	 * take off the sendall flag, it would be bad if we failed to do
7269	 * this :-0
7270	 */
7271	ca->sndrcv.sinfo_flags &= ~SCTP_SENDALL;
7272	/* get length and mbuf chain */
7273	if (uio) {
7274#if defined(__APPLE__)
7275#if defined(APPLE_LEOPARD)
7276		ca->sndlen = uio->uio_resid;
7277#else
7278		ca->sndlen = uio_resid(uio);
7279#endif
7280#else
7281		ca->sndlen = uio->uio_resid;
7282#endif
7283#if defined(__APPLE__)
7284		SCTP_SOCKET_UNLOCK(SCTP_INP_SO(inp), 0);
7285#endif
7286		ca->m = sctp_copy_out_all(uio, ca->sndlen);
7287#if defined(__APPLE__)
7288		SCTP_SOCKET_LOCK(SCTP_INP_SO(inp), 0);
7289#endif
7290		if (ca->m == NULL) {
7291			SCTP_FREE(ca, SCTP_M_COPYAL);
7292			SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
7293			return (ENOMEM);
7294		}
7295	} else {
7296		/* Gather the length of the send */
7297		struct mbuf *mat;
7298
7299		ca->sndlen = 0;
7300		for (mat = m; mat; mat = SCTP_BUF_NEXT(mat)) {
7301			ca->sndlen += SCTP_BUF_LEN(mat);
7302		}
7303	}
7304	ret = sctp_initiate_iterator(NULL, sctp_sendall_iterator, NULL,
7305				     SCTP_PCB_ANY_FLAGS, SCTP_PCB_ANY_FEATURES,
7306				     SCTP_ASOC_ANY_STATE,
7307				     (void *)ca, 0,
7308				     sctp_sendall_completes, inp, 1);
7309	if (ret) {
7310		SCTP_PRINTF("Failed to initiate iterator for sendall\n");
7311		SCTP_FREE(ca, SCTP_M_COPYAL);
7312		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
7313		return (EFAULT);
7314	}
7315	return (0);
7316}
7317
7318
7319void
7320sctp_toss_old_cookies(struct sctp_tcb *stcb, struct sctp_association *asoc)
7321{
7322	struct sctp_tmit_chunk *chk, *nchk;
7323
7324	TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
7325		if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
7326			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
7327			if (chk->data) {
7328				sctp_m_freem(chk->data);
7329				chk->data = NULL;
7330			}
7331			asoc->ctrl_queue_cnt--;
7332			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
7333		}
7334	}
7335}
7336
7337void
7338sctp_toss_old_asconf(struct sctp_tcb *stcb)
7339{
7340	struct sctp_association *asoc;
7341	struct sctp_tmit_chunk *chk, *nchk;
7342	struct sctp_asconf_chunk *acp;
7343
7344	asoc = &stcb->asoc;
7345	TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
7346		/* find SCTP_ASCONF chunk in queue */
7347		if (chk->rec.chunk_id.id == SCTP_ASCONF) {
7348			if (chk->data) {
7349				acp = mtod(chk->data, struct sctp_asconf_chunk *);
7350				if (SCTP_TSN_GT(ntohl(acp->serial_number), asoc->asconf_seq_out_acked)) {
7351					/* Not Acked yet */
7352					break;
7353				}
7354			}
7355			TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next);
7356			if (chk->data) {
7357				sctp_m_freem(chk->data);
7358				chk->data = NULL;
7359			}
7360			asoc->ctrl_queue_cnt--;
7361			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
7362		}
7363	}
7364}
7365
7366
7367static void
7368sctp_clean_up_datalist(struct sctp_tcb *stcb,
7369    struct sctp_association *asoc,
7370    struct sctp_tmit_chunk **data_list,
7371    int bundle_at,
7372    struct sctp_nets *net)
7373{
7374	int i;
7375	struct sctp_tmit_chunk *tp1;
7376
7377	for (i = 0; i < bundle_at; i++) {
7378		/* off of the send queue */
7379		TAILQ_REMOVE(&asoc->send_queue, data_list[i], sctp_next);
7380		asoc->send_queue_cnt--;
7381		if (i > 0) {
7382			/*
7383			 * Any chunk NOT 0 you zap the time chunk 0 gets
7384			 * zapped or set based on if a RTO measurment is
7385			 * needed.
7386			 */
7387			data_list[i]->do_rtt = 0;
7388		}
7389		/* record time */
7390		data_list[i]->sent_rcv_time = net->last_sent_time;
7391		data_list[i]->rec.data.cwnd_at_send = net->cwnd;
7392		data_list[i]->rec.data.fast_retran_tsn = data_list[i]->rec.data.TSN_seq;
7393		if (data_list[i]->whoTo == NULL) {
7394			data_list[i]->whoTo = net;
7395			atomic_add_int(&net->ref_count, 1);
7396		}
7397		/* on to the sent queue */
7398		tp1 = TAILQ_LAST(&asoc->sent_queue, sctpchunk_listhead);
7399		if ((tp1) && SCTP_TSN_GT(tp1->rec.data.TSN_seq, data_list[i]->rec.data.TSN_seq)) {
7400			struct sctp_tmit_chunk *tpp;
7401
7402			/* need to move back */
7403		back_up_more:
7404			tpp = TAILQ_PREV(tp1, sctpchunk_listhead, sctp_next);
7405			if (tpp == NULL) {
7406				TAILQ_INSERT_BEFORE(tp1, data_list[i], sctp_next);
7407				goto all_done;
7408			}
7409			tp1 = tpp;
7410			if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, data_list[i]->rec.data.TSN_seq)) {
7411				goto back_up_more;
7412			}
7413			TAILQ_INSERT_AFTER(&asoc->sent_queue, tp1, data_list[i], sctp_next);
7414		} else {
7415			TAILQ_INSERT_TAIL(&asoc->sent_queue,
7416					  data_list[i],
7417					  sctp_next);
7418		}
7419	all_done:
7420		/* This does not lower until the cum-ack passes it */
7421		asoc->sent_queue_cnt++;
7422		if ((asoc->peers_rwnd <= 0) &&
7423		    (asoc->total_flight == 0) &&
7424		    (bundle_at == 1)) {
7425			/* Mark the chunk as being a window probe */
7426			SCTP_STAT_INCR(sctps_windowprobed);
7427		}
7428#ifdef SCTP_AUDITING_ENABLED
7429		sctp_audit_log(0xC2, 3);
7430#endif
7431		data_list[i]->sent = SCTP_DATAGRAM_SENT;
7432		data_list[i]->snd_count = 1;
7433		data_list[i]->rec.data.chunk_was_revoked = 0;
7434		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
7435			sctp_misc_ints(SCTP_FLIGHT_LOG_UP,
7436				       data_list[i]->whoTo->flight_size,
7437				       data_list[i]->book_size,
7438				       (uintptr_t)data_list[i]->whoTo,
7439				       data_list[i]->rec.data.TSN_seq);
7440		}
7441		sctp_flight_size_increase(data_list[i]);
7442		sctp_total_flight_increase(stcb, data_list[i]);
7443		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
7444			sctp_log_rwnd(SCTP_DECREASE_PEER_RWND,
7445			      asoc->peers_rwnd, data_list[i]->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
7446		}
7447		asoc->peers_rwnd = sctp_sbspace_sub(asoc->peers_rwnd,
7448						    (uint32_t) (data_list[i]->send_size + SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)));
7449		if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
7450			/* SWS sender side engages */
7451			asoc->peers_rwnd = 0;
7452		}
7453	}
7454	if (asoc->cc_functions.sctp_cwnd_update_packet_transmitted) {
7455		(*asoc->cc_functions.sctp_cwnd_update_packet_transmitted)(stcb, net);
7456	}
7457}
7458
7459static void
7460sctp_clean_up_ctl(struct sctp_tcb *stcb, struct sctp_association *asoc, int so_locked
7461#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
7462	SCTP_UNUSED
7463#endif
7464)
7465{
7466	struct sctp_tmit_chunk *chk, *nchk;
7467
7468	TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
7469		if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
7470		    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK) ||	/* EY */
7471		    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) ||
7472		    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_ACK) ||
7473		    (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) ||
7474		    (chk->rec.chunk_id.id == SCTP_SHUTDOWN) ||
7475		    (chk->rec.chunk_id.id == SCTP_SHUTDOWN_ACK) ||
7476		    (chk->rec.chunk_id.id == SCTP_OPERATION_ERROR) ||
7477		    (chk->rec.chunk_id.id == SCTP_PACKET_DROPPED) ||
7478		    (chk->rec.chunk_id.id == SCTP_COOKIE_ACK) ||
7479		    (chk->rec.chunk_id.id == SCTP_ECN_CWR) ||
7480		    (chk->rec.chunk_id.id == SCTP_ASCONF_ACK)) {
7481			/* Stray chunks must be cleaned up */
7482	clean_up_anyway:
7483			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
7484			if (chk->data) {
7485				sctp_m_freem(chk->data);
7486				chk->data = NULL;
7487			}
7488			asoc->ctrl_queue_cnt--;
7489			if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN)
7490				asoc->fwd_tsn_cnt--;
7491			sctp_free_a_chunk(stcb, chk, so_locked);
7492		} else if (chk->rec.chunk_id.id == SCTP_STREAM_RESET) {
7493			/* special handling, we must look into the param */
7494			if (chk != asoc->str_reset) {
7495				goto clean_up_anyway;
7496			}
7497		}
7498	}
7499}
7500
7501
7502static int
7503sctp_can_we_split_this(struct sctp_tcb *stcb,
7504                       uint32_t length,
7505                       uint32_t goal_mtu, uint32_t frag_point, int eeor_on)
7506{
7507	/* Make a decision on if I should split a
7508	 * msg into multiple parts. This is only asked of
7509	 * incomplete messages.
7510	 */
7511	if (eeor_on) {
7512		/* If we are doing EEOR we need to always send
7513		 * it if its the entire thing, since it might
7514		 * be all the guy is putting in the hopper.
7515		 */
7516		if (goal_mtu >= length) {
7517			/*-
7518			 * If we have data outstanding,
7519			 * we get another chance when the sack
7520			 * arrives to transmit - wait for more data
7521			 */
7522			if (stcb->asoc.total_flight == 0) {
7523				/* If nothing is in flight, we zero
7524				 * the packet counter.
7525				 */
7526				return (length);
7527			}
7528			return (0);
7529
7530		} else {
7531			/* You can fill the rest */
7532			return (goal_mtu);
7533		}
7534	}
7535	/*-
7536	 * For those strange folk that make the send buffer
7537	 * smaller than our fragmentation point, we can't
7538	 * get a full msg in so we have to allow splitting.
7539	 */
7540	if (SCTP_SB_LIMIT_SND(stcb->sctp_socket) < frag_point) {
7541		return (length);
7542	}
7543
7544	if ((length <= goal_mtu) ||
7545	    ((length - goal_mtu) < SCTP_BASE_SYSCTL(sctp_min_residual))) {
7546		/* Sub-optimial residual don't split in non-eeor mode. */
7547		return (0);
7548	}
7549	/* If we reach here length is larger
7550	 * than the goal_mtu. Do we wish to split
7551	 * it for the sake of packet putting together?
7552	 */
7553	if (goal_mtu >= min(SCTP_BASE_SYSCTL(sctp_min_split_point), frag_point)) {
7554		/* Its ok to split it */
7555		return (min(goal_mtu, frag_point));
7556	}
7557	/* Nope, can't split */
7558	return (0);
7559
7560}
7561
7562static uint32_t
7563sctp_move_to_outqueue(struct sctp_tcb *stcb,
7564                      struct sctp_stream_out *strq,
7565                      uint32_t goal_mtu,
7566                      uint32_t frag_point,
7567                      int *locked,
7568                      int *giveup,
7569                      int eeor_mode,
7570                      int *bail,
7571                      int so_locked
7572#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
7573                      SCTP_UNUSED
7574#endif
7575	)
7576{
7577	/* Move from the stream to the send_queue keeping track of the total */
7578	struct sctp_association *asoc;
7579	struct sctp_stream_queue_pending *sp;
7580	struct sctp_tmit_chunk *chk;
7581	struct sctp_data_chunk *dchkh;
7582	uint32_t to_move, length;
7583	uint8_t rcv_flags = 0;
7584	uint8_t some_taken;
7585	uint8_t send_lock_up = 0;
7586
7587	SCTP_TCB_LOCK_ASSERT(stcb);
7588	asoc = &stcb->asoc;
7589one_more_time:
7590	/*sa_ignore FREED_MEMORY*/
7591	sp = TAILQ_FIRST(&strq->outqueue);
7592	if (sp == NULL) {
7593		*locked = 0;
7594		if (send_lock_up == 0) {
7595			SCTP_TCB_SEND_LOCK(stcb);
7596			send_lock_up = 1;
7597		}
7598		sp = TAILQ_FIRST(&strq->outqueue);
7599		if (sp) {
7600			goto one_more_time;
7601		}
7602		if (strq->last_msg_incomplete) {
7603			SCTP_PRINTF("Huh? Stream:%d lm_in_c=%d but queue is NULL\n",
7604			            strq->stream_no,
7605			            strq->last_msg_incomplete);
7606			strq->last_msg_incomplete = 0;
7607		}
7608		to_move = 0;
7609		if (send_lock_up) {
7610			SCTP_TCB_SEND_UNLOCK(stcb);
7611			send_lock_up = 0;
7612		}
7613		goto out_of;
7614	}
7615	if ((sp->msg_is_complete) && (sp->length == 0)) {
7616		if (sp->sender_all_done) {
7617			/* We are doing differed cleanup. Last
7618			 * time through when we took all the data
7619			 * the sender_all_done was not set.
7620			 */
7621			if ((sp->put_last_out == 0) && (sp->discard_rest == 0)) {
7622				SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
7623				SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d send_lock:%d\n",
7624				            sp->sender_all_done,
7625				            sp->length,
7626				            sp->msg_is_complete,
7627				            sp->put_last_out,
7628				            send_lock_up);
7629			}
7630			if ((TAILQ_NEXT(sp, next) == NULL) && (send_lock_up  == 0)) {
7631				SCTP_TCB_SEND_LOCK(stcb);
7632				send_lock_up = 1;
7633			}
7634			atomic_subtract_int(&asoc->stream_queue_cnt, 1);
7635			TAILQ_REMOVE(&strq->outqueue, sp, next);
7636			stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, strq, sp, send_lock_up);
7637			if (sp->net) {
7638				sctp_free_remote_addr(sp->net);
7639				sp->net = NULL;
7640			}
7641			if (sp->data) {
7642				sctp_m_freem(sp->data);
7643				sp->data = NULL;
7644			}
7645			sctp_free_a_strmoq(stcb, sp, so_locked);
7646			/* we can't be locked to it */
7647			*locked = 0;
7648			stcb->asoc.locked_on_sending = NULL;
7649			if (send_lock_up) {
7650				SCTP_TCB_SEND_UNLOCK(stcb);
7651				send_lock_up = 0;
7652			}
7653			/* back to get the next msg */
7654			goto one_more_time;
7655		} else {
7656			/* sender just finished this but
7657			 * still holds a reference
7658			 */
7659			*locked = 1;
7660			*giveup = 1;
7661			to_move = 0;
7662			goto out_of;
7663		}
7664	} else {
7665		/* is there some to get */
7666		if (sp->length == 0) {
7667			/* no */
7668			*locked = 1;
7669			*giveup = 1;
7670			to_move = 0;
7671			goto out_of;
7672		} else if (sp->discard_rest) {
7673			if (send_lock_up == 0) {
7674				SCTP_TCB_SEND_LOCK(stcb);
7675				send_lock_up = 1;
7676			}
7677			/* Whack down the size */
7678			atomic_subtract_int(&stcb->asoc.total_output_queue_size, sp->length);
7679			if ((stcb->sctp_socket != NULL) &&	     \
7680			    ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
7681			     (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL))) {
7682				atomic_subtract_int(&stcb->sctp_socket->so_snd.sb_cc, sp->length);
7683			}
7684			if (sp->data) {
7685				sctp_m_freem(sp->data);
7686				sp->data = NULL;
7687				sp->tail_mbuf = NULL;
7688			}
7689			sp->length = 0;
7690			sp->some_taken = 1;
7691			*locked = 1;
7692			*giveup = 1;
7693			to_move = 0;
7694			goto out_of;
7695		}
7696	}
7697	some_taken = sp->some_taken;
7698	if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
7699		sp->msg_is_complete = 1;
7700	}
7701re_look:
7702	length = sp->length;
7703	if (sp->msg_is_complete) {
7704		/* The message is complete */
7705		to_move = min(length, frag_point);
7706		if (to_move == length) {
7707			/* All of it fits in the MTU */
7708			if (sp->some_taken) {
7709				rcv_flags |= SCTP_DATA_LAST_FRAG;
7710				sp->put_last_out = 1;
7711			} else {
7712				rcv_flags |= SCTP_DATA_NOT_FRAG;
7713				sp->put_last_out = 1;
7714			}
7715		} else {
7716			/* Not all of it fits, we fragment */
7717			if (sp->some_taken == 0) {
7718				rcv_flags |= SCTP_DATA_FIRST_FRAG;
7719			}
7720			sp->some_taken = 1;
7721		}
7722	} else {
7723		to_move = sctp_can_we_split_this(stcb, length, goal_mtu, frag_point, eeor_mode);
7724		if (to_move) {
7725			/*-
7726			 * We use a snapshot of length in case it
7727			 * is expanding during the compare.
7728			 */
7729			uint32_t llen;
7730
7731			llen = length;
7732			if (to_move >= llen) {
7733				to_move = llen;
7734				if (send_lock_up == 0) {
7735					/*-
7736					 * We are taking all of an incomplete msg
7737					 * thus we need a send lock.
7738					 */
7739					SCTP_TCB_SEND_LOCK(stcb);
7740					send_lock_up = 1;
7741					if (sp->msg_is_complete) {
7742						/* the sender finished the msg */
7743						goto re_look;
7744					}
7745				}
7746			}
7747			if (sp->some_taken == 0) {
7748				rcv_flags |= SCTP_DATA_FIRST_FRAG;
7749				sp->some_taken = 1;
7750			}
7751		} else {
7752			/* Nothing to take. */
7753			if (sp->some_taken) {
7754				*locked = 1;
7755			}
7756			*giveup = 1;
7757			to_move = 0;
7758			goto out_of;
7759		}
7760	}
7761
7762	/* If we reach here, we can copy out a chunk */
7763	sctp_alloc_a_chunk(stcb, chk);
7764	if (chk == NULL) {
7765		/* No chunk memory */
7766		*giveup = 1;
7767		to_move = 0;
7768		goto out_of;
7769	}
7770	/* Setup for unordered if needed by looking
7771	 * at the user sent info flags.
7772	 */
7773	if (sp->sinfo_flags & SCTP_UNORDERED) {
7774		rcv_flags |= SCTP_DATA_UNORDERED;
7775	}
7776	if ((SCTP_BASE_SYSCTL(sctp_enable_sack_immediately) && ((sp->sinfo_flags & SCTP_EOF) == SCTP_EOF)) ||
7777	    ((sp->sinfo_flags & SCTP_SACK_IMMEDIATELY) == SCTP_SACK_IMMEDIATELY)) {
7778		rcv_flags |= SCTP_DATA_SACK_IMMEDIATELY;
7779	}
7780	/* clear out the chunk before setting up */
7781	memset(chk, 0, sizeof(*chk));
7782	chk->rec.data.rcv_flags = rcv_flags;
7783
7784	if (to_move >= length) {
7785		/* we think we can steal the whole thing */
7786		if ((sp->sender_all_done == 0) && (send_lock_up == 0)) {
7787			SCTP_TCB_SEND_LOCK(stcb);
7788			send_lock_up = 1;
7789		}
7790		if (to_move < sp->length) {
7791			/* bail, it changed */
7792			goto dont_do_it;
7793		}
7794		chk->data = sp->data;
7795		chk->last_mbuf = sp->tail_mbuf;
7796		/* register the stealing */
7797		sp->data = sp->tail_mbuf = NULL;
7798	} else {
7799		struct mbuf *m;
7800	dont_do_it:
7801		chk->data = SCTP_M_COPYM(sp->data, 0, to_move, M_NOWAIT);
7802		chk->last_mbuf = NULL;
7803		if (chk->data == NULL) {
7804			sp->some_taken = some_taken;
7805			sctp_free_a_chunk(stcb, chk, so_locked);
7806			*bail = 1;
7807			to_move = 0;
7808			goto out_of;
7809		}
7810#ifdef SCTP_MBUF_LOGGING
7811		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
7812			struct mbuf *mat;
7813
7814			for (mat = chk->data; mat; mat = SCTP_BUF_NEXT(mat)) {
7815				if (SCTP_BUF_IS_EXTENDED(mat)) {
7816					sctp_log_mb(mat, SCTP_MBUF_ICOPY);
7817				}
7818			}
7819		}
7820#endif
7821		/* Pull off the data */
7822		m_adj(sp->data, to_move);
7823		/* Now lets work our way down and compact it */
7824		m = sp->data;
7825		while (m && (SCTP_BUF_LEN(m) == 0)) {
7826			sp->data  = SCTP_BUF_NEXT(m);
7827			SCTP_BUF_NEXT(m) = NULL;
7828			if (sp->tail_mbuf == m) {
7829				/*-
7830				 * Freeing tail? TSNH since
7831				 * we supposedly were taking less
7832				 * than the sp->length.
7833				 */
7834#ifdef INVARIANTS
7835				panic("Huh, freing tail? - TSNH");
7836#else
7837				SCTP_PRINTF("Huh, freeing tail? - TSNH\n");
7838				sp->tail_mbuf = sp->data = NULL;
7839				sp->length = 0;
7840#endif
7841
7842			}
7843			sctp_m_free(m);
7844			m = sp->data;
7845		}
7846	}
7847	if (SCTP_BUF_IS_EXTENDED(chk->data)) {
7848		chk->copy_by_ref = 1;
7849	} else {
7850		chk->copy_by_ref = 0;
7851	}
7852	/* get last_mbuf and counts of mb useage
7853	 * This is ugly but hopefully its only one mbuf.
7854	 */
7855	if (chk->last_mbuf == NULL) {
7856		chk->last_mbuf = chk->data;
7857		while (SCTP_BUF_NEXT(chk->last_mbuf) != NULL) {
7858			chk->last_mbuf = SCTP_BUF_NEXT(chk->last_mbuf);
7859		}
7860	}
7861
7862	if (to_move > length) {
7863		/*- This should not happen either
7864		 * since we always lower to_move to the size
7865		 * of sp->length if its larger.
7866		 */
7867#ifdef INVARIANTS
7868		panic("Huh, how can to_move be larger?");
7869#else
7870		SCTP_PRINTF("Huh, how can to_move be larger?\n");
7871		sp->length = 0;
7872#endif
7873	} else {
7874		atomic_subtract_int(&sp->length, to_move);
7875	}
7876	if (M_LEADINGSPACE(chk->data) < (int)sizeof(struct sctp_data_chunk)) {
7877		/* Not enough room for a chunk header, get some */
7878		struct mbuf *m;
7879		m = sctp_get_mbuf_for_msg(1, 0, M_NOWAIT, 0, MT_DATA);
7880		if (m == NULL) {
7881			/*
7882			 * we're in trouble here. _PREPEND below will free
7883			 * all the data if there is no leading space, so we
7884			 * must put the data back and restore.
7885			 */
7886			if (send_lock_up == 0) {
7887				SCTP_TCB_SEND_LOCK(stcb);
7888				send_lock_up = 1;
7889			}
7890			if (chk->data == NULL) {
7891				/* unsteal the data */
7892				sp->data = chk->data;
7893				sp->tail_mbuf = chk->last_mbuf;
7894			} else {
7895				struct mbuf *m_tmp;
7896				/* reassemble the data */
7897				m_tmp = sp->data;
7898				sp->data = chk->data;
7899				SCTP_BUF_NEXT(chk->last_mbuf) = m_tmp;
7900			}
7901			sp->some_taken = some_taken;
7902			atomic_add_int(&sp->length, to_move);
7903			chk->data = NULL;
7904			*bail = 1;
7905			sctp_free_a_chunk(stcb, chk, so_locked);
7906			to_move = 0;
7907			goto out_of;
7908		} else {
7909			SCTP_BUF_LEN(m) = 0;
7910			SCTP_BUF_NEXT(m) = chk->data;
7911			chk->data = m;
7912			M_ALIGN(chk->data, 4);
7913		}
7914	}
7915	SCTP_BUF_PREPEND(chk->data, sizeof(struct sctp_data_chunk), M_NOWAIT);
7916	if (chk->data == NULL) {
7917		/* HELP, TSNH since we assured it would not above? */
7918#ifdef INVARIANTS
7919		panic("prepend failes HELP?");
7920#else
7921		SCTP_PRINTF("prepend fails HELP?\n");
7922		sctp_free_a_chunk(stcb, chk, so_locked);
7923#endif
7924		*bail = 1;
7925		to_move = 0;
7926		goto out_of;
7927	}
7928	sctp_snd_sb_alloc(stcb, sizeof(struct sctp_data_chunk));
7929	chk->book_size = chk->send_size = (to_move + sizeof(struct sctp_data_chunk));
7930	chk->book_size_scale = 0;
7931	chk->sent = SCTP_DATAGRAM_UNSENT;
7932
7933	chk->flags = 0;
7934	chk->asoc = &stcb->asoc;
7935	chk->pad_inplace = 0;
7936	chk->no_fr_allowed = 0;
7937	chk->rec.data.stream_seq = strq->next_sequence_send;
7938	if ((rcv_flags & SCTP_DATA_LAST_FRAG) &&
7939	    !(rcv_flags & SCTP_DATA_UNORDERED)) {
7940		strq->next_sequence_send++;
7941	}
7942	chk->rec.data.stream_number = sp->stream;
7943	chk->rec.data.payloadtype = sp->ppid;
7944	chk->rec.data.context = sp->context;
7945	chk->rec.data.doing_fast_retransmit = 0;
7946
7947	chk->rec.data.timetodrop = sp->ts;
7948	chk->flags = sp->act_flags;
7949
7950	if (sp->net) {
7951		chk->whoTo = sp->net;
7952		atomic_add_int(&chk->whoTo->ref_count, 1);
7953	} else
7954		chk->whoTo = NULL;
7955
7956	if (sp->holds_key_ref) {
7957		chk->auth_keyid = sp->auth_keyid;
7958		sctp_auth_key_acquire(stcb, chk->auth_keyid);
7959		chk->holds_key_ref = 1;
7960	}
7961#if defined(__FreeBSD__) || defined(__Panda__)
7962	chk->rec.data.TSN_seq = atomic_fetchadd_int(&asoc->sending_seq, 1);
7963#else
7964	chk->rec.data.TSN_seq = asoc->sending_seq++;
7965#endif
7966	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_AT_SEND_2_OUTQ) {
7967		sctp_misc_ints(SCTP_STRMOUT_LOG_SEND,
7968		               (uintptr_t)stcb, sp->length,
7969		               (uint32_t)((chk->rec.data.stream_number << 16) | chk->rec.data.stream_seq),
7970		               chk->rec.data.TSN_seq);
7971	}
7972	dchkh = mtod(chk->data, struct sctp_data_chunk *);
7973	/*
7974	 * Put the rest of the things in place now. Size was done
7975	 * earlier in previous loop prior to padding.
7976	 */
7977
7978#ifdef SCTP_ASOCLOG_OF_TSNS
7979	SCTP_TCB_LOCK_ASSERT(stcb);
7980	if (asoc->tsn_out_at >= SCTP_TSN_LOG_SIZE) {
7981		asoc->tsn_out_at = 0;
7982		asoc->tsn_out_wrapped = 1;
7983	}
7984	asoc->out_tsnlog[asoc->tsn_out_at].tsn = chk->rec.data.TSN_seq;
7985	asoc->out_tsnlog[asoc->tsn_out_at].strm = chk->rec.data.stream_number;
7986	asoc->out_tsnlog[asoc->tsn_out_at].seq = chk->rec.data.stream_seq;
7987	asoc->out_tsnlog[asoc->tsn_out_at].sz = chk->send_size;
7988	asoc->out_tsnlog[asoc->tsn_out_at].flgs = chk->rec.data.rcv_flags;
7989	asoc->out_tsnlog[asoc->tsn_out_at].stcb = (void *)stcb;
7990	asoc->out_tsnlog[asoc->tsn_out_at].in_pos = asoc->tsn_out_at;
7991	asoc->out_tsnlog[asoc->tsn_out_at].in_out = 2;
7992	asoc->tsn_out_at++;
7993#endif
7994
7995	dchkh->ch.chunk_type = SCTP_DATA;
7996	dchkh->ch.chunk_flags = chk->rec.data.rcv_flags;
7997	dchkh->dp.tsn = htonl(chk->rec.data.TSN_seq);
7998	dchkh->dp.stream_id = htons(strq->stream_no);
7999	dchkh->dp.stream_sequence = htons(chk->rec.data.stream_seq);
8000	dchkh->dp.protocol_id = chk->rec.data.payloadtype;
8001	dchkh->ch.chunk_length = htons(chk->send_size);
8002	/* Now advance the chk->send_size by the actual pad needed. */
8003	if (chk->send_size < SCTP_SIZE32(chk->book_size)) {
8004		/* need a pad */
8005		struct mbuf *lm;
8006		int pads;
8007
8008		pads = SCTP_SIZE32(chk->book_size) - chk->send_size;
8009		lm = sctp_pad_lastmbuf(chk->data, pads, chk->last_mbuf);
8010		if (lm != NULL) {
8011			chk->last_mbuf = lm;
8012			chk->pad_inplace = 1;
8013		}
8014		chk->send_size += pads;
8015	}
8016	if (PR_SCTP_ENABLED(chk->flags)) {
8017		asoc->pr_sctp_cnt++;
8018	}
8019	if (sp->msg_is_complete && (sp->length == 0) && (sp->sender_all_done)) {
8020		/* All done pull and kill the message */
8021		atomic_subtract_int(&asoc->stream_queue_cnt, 1);
8022		if (sp->put_last_out == 0) {
8023			SCTP_PRINTF("Gak, put out entire msg with NO end!-2\n");
8024			SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d send_lock:%d\n",
8025			            sp->sender_all_done,
8026			            sp->length,
8027			            sp->msg_is_complete,
8028			            sp->put_last_out,
8029			            send_lock_up);
8030		}
8031		if ((send_lock_up == 0) && (TAILQ_NEXT(sp, next) == NULL)) {
8032			SCTP_TCB_SEND_LOCK(stcb);
8033			send_lock_up = 1;
8034		}
8035		TAILQ_REMOVE(&strq->outqueue, sp, next);
8036		stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, strq, sp, send_lock_up);
8037		if (sp->net) {
8038			sctp_free_remote_addr(sp->net);
8039			sp->net = NULL;
8040		}
8041		if (sp->data) {
8042			sctp_m_freem(sp->data);
8043			sp->data = NULL;
8044		}
8045		sctp_free_a_strmoq(stcb, sp, so_locked);
8046
8047		/* we can't be locked to it */
8048		*locked = 0;
8049		stcb->asoc.locked_on_sending = NULL;
8050	} else {
8051		/* more to go, we are locked */
8052		*locked = 1;
8053	}
8054	asoc->chunks_on_out_queue++;
8055	strq->chunks_on_queues++;
8056	TAILQ_INSERT_TAIL(&asoc->send_queue, chk, sctp_next);
8057	asoc->send_queue_cnt++;
8058out_of:
8059	if (send_lock_up) {
8060		SCTP_TCB_SEND_UNLOCK(stcb);
8061	}
8062	return (to_move);
8063}
8064
8065
8066static void
8067sctp_fill_outqueue(struct sctp_tcb *stcb,
8068    struct sctp_nets *net, int frag_point, int eeor_mode, int *quit_now, int so_locked
8069#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
8070	SCTP_UNUSED
8071#endif
8072)
8073{
8074	struct sctp_association *asoc;
8075	struct sctp_stream_out *strq;
8076	int goal_mtu, moved_how_much, total_moved = 0, bail = 0;
8077	int locked, giveup;
8078
8079	SCTP_TCB_LOCK_ASSERT(stcb);
8080	asoc = &stcb->asoc;
8081	switch (net->ro._l_addr.sa.sa_family) {
8082#ifdef INET
8083		case AF_INET:
8084			goal_mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8085			break;
8086#endif
8087#ifdef INET6
8088		case AF_INET6:
8089			goal_mtu = net->mtu - SCTP_MIN_OVERHEAD;
8090			break;
8091#endif
8092#if defined(__Userspace__)
8093		case AF_CONN:
8094			goal_mtu = net->mtu - sizeof(struct sctphdr);
8095			break;
8096#endif
8097		default:
8098			/* TSNH */
8099			goal_mtu = net->mtu;
8100			break;
8101	}
8102	/* Need an allowance for the data chunk header too */
8103	goal_mtu -= sizeof(struct sctp_data_chunk);
8104
8105	/* must make even word boundary */
8106	goal_mtu &= 0xfffffffc;
8107	if (asoc->locked_on_sending) {
8108		/* We are stuck on one stream until the message completes. */
8109		strq = asoc->locked_on_sending;
8110		locked = 1;
8111	} else {
8112		strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc);
8113		locked = 0;
8114	}
8115	while ((goal_mtu > 0) && strq) {
8116		giveup = 0;
8117		bail = 0;
8118		moved_how_much = sctp_move_to_outqueue(stcb, strq, goal_mtu, frag_point, &locked,
8119						       &giveup, eeor_mode, &bail, so_locked);
8120		if (moved_how_much)
8121			stcb->asoc.ss_functions.sctp_ss_scheduled(stcb, net, asoc, strq, moved_how_much);
8122
8123		if (locked) {
8124			asoc->locked_on_sending = strq;
8125			if ((moved_how_much == 0) || (giveup) || bail)
8126				/* no more to move for now */
8127				break;
8128		} else {
8129			asoc->locked_on_sending = NULL;
8130			if ((giveup) || bail) {
8131				break;
8132			}
8133			strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc);
8134			if (strq == NULL) {
8135				break;
8136			}
8137		}
8138		total_moved += moved_how_much;
8139		goal_mtu -= (moved_how_much + sizeof(struct sctp_data_chunk));
8140		goal_mtu &= 0xfffffffc;
8141	}
8142	if (bail)
8143		*quit_now = 1;
8144
8145	stcb->asoc.ss_functions.sctp_ss_packet_done(stcb, net, asoc);
8146
8147	if (total_moved == 0) {
8148		if ((stcb->asoc.sctp_cmt_on_off == 0) &&
8149		    (net == stcb->asoc.primary_destination)) {
8150			/* ran dry for primary network net */
8151			SCTP_STAT_INCR(sctps_primary_randry);
8152		} else if (stcb->asoc.sctp_cmt_on_off > 0) {
8153			/* ran dry with CMT on */
8154			SCTP_STAT_INCR(sctps_cmt_randry);
8155		}
8156	}
8157}
8158
8159void
8160sctp_fix_ecn_echo(struct sctp_association *asoc)
8161{
8162	struct sctp_tmit_chunk *chk;
8163
8164	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
8165		if (chk->rec.chunk_id.id == SCTP_ECN_ECHO) {
8166			chk->sent = SCTP_DATAGRAM_UNSENT;
8167		}
8168	}
8169}
8170
8171void
8172sctp_move_chunks_from_net(struct sctp_tcb *stcb, struct sctp_nets *net)
8173{
8174	struct sctp_association *asoc;
8175	struct sctp_tmit_chunk *chk;
8176	struct sctp_stream_queue_pending *sp;
8177	unsigned int i;
8178
8179	if (net == NULL) {
8180		return;
8181	}
8182	asoc = &stcb->asoc;
8183	for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
8184		TAILQ_FOREACH(sp, &stcb->asoc.strmout[i].outqueue, next) {
8185			if (sp->net == net) {
8186				sctp_free_remote_addr(sp->net);
8187				sp->net = NULL;
8188			}
8189		}
8190	}
8191	TAILQ_FOREACH(chk, &asoc->send_queue, sctp_next) {
8192		if (chk->whoTo == net) {
8193			sctp_free_remote_addr(chk->whoTo);
8194			chk->whoTo = NULL;
8195		}
8196	}
8197}
8198
8199int
8200sctp_med_chunk_output(struct sctp_inpcb *inp,
8201		      struct sctp_tcb *stcb,
8202		      struct sctp_association *asoc,
8203		      int *num_out,
8204		      int *reason_code,
8205		      int control_only, int from_where,
8206		      struct timeval *now, int *now_filled, int frag_point, int so_locked
8207#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
8208		      SCTP_UNUSED
8209#endif
8210	)
8211{
8212	/**
8213	 * Ok this is the generic chunk service queue. we must do the
8214	 * following: - Service the stream queue that is next, moving any
8215	 * message (note I must get a complete message i.e. FIRST/MIDDLE and
8216	 * LAST to the out queue in one pass) and assigning TSN's - Check to
8217	 * see if the cwnd/rwnd allows any output, if so we go ahead and
8218	 * fomulate and send the low level chunks. Making sure to combine
8219	 * any control in the control chunk queue also.
8220	 */
8221	struct sctp_nets *net, *start_at, *sack_goes_to = NULL, *old_start_at = NULL;
8222	struct mbuf *outchain, *endoutchain;
8223	struct sctp_tmit_chunk *chk, *nchk;
8224
8225	/* temp arrays for unlinking */
8226	struct sctp_tmit_chunk *data_list[SCTP_MAX_DATA_BUNDLING];
8227	int no_fragmentflg, error;
8228	unsigned int max_rwnd_per_dest, max_send_per_dest;
8229	int one_chunk, hbflag, skip_data_for_this_net;
8230	int asconf, cookie, no_out_cnt;
8231	int bundle_at, ctl_cnt, no_data_chunks, eeor_mode;
8232	unsigned int mtu, r_mtu, omtu, mx_mtu, to_out;
8233	int tsns_sent = 0;
8234	uint32_t auth_offset = 0;
8235	struct sctp_auth_chunk *auth = NULL;
8236	uint16_t auth_keyid;
8237	int override_ok = 1;
8238	int skip_fill_up = 0;
8239	int data_auth_reqd = 0;
8240	/* JRS 5/14/07 - Add flag for whether a heartbeat is sent to
8241	   the destination. */
8242	int quit_now = 0;
8243
8244#if defined(__APPLE__)
8245	if (so_locked) {
8246		sctp_lock_assert(SCTP_INP_SO(inp));
8247	} else {
8248		sctp_unlock_assert(SCTP_INP_SO(inp));
8249	}
8250#endif
8251	*num_out = 0;
8252	auth_keyid = stcb->asoc.authinfo.active_keyid;
8253	if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
8254	    (asoc->state & SCTP_STATE_SHUTDOWN_RECEIVED) ||
8255	    (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR))) {
8256		eeor_mode = 1;
8257	} else {
8258		eeor_mode = 0;
8259	}
8260	ctl_cnt = no_out_cnt = asconf = cookie = 0;
8261	/*
8262	 * First lets prime the pump. For each destination, if there is room
8263	 * in the flight size, attempt to pull an MTU's worth out of the
8264	 * stream queues into the general send_queue
8265	 */
8266#ifdef SCTP_AUDITING_ENABLED
8267	sctp_audit_log(0xC2, 2);
8268#endif
8269	SCTP_TCB_LOCK_ASSERT(stcb);
8270	hbflag = 0;
8271	if ((control_only) || (asoc->stream_reset_outstanding))
8272		no_data_chunks = 1;
8273	else
8274		no_data_chunks = 0;
8275
8276	/* Nothing to possible to send? */
8277	if ((TAILQ_EMPTY(&asoc->control_send_queue) ||
8278	     (asoc->ctrl_queue_cnt == stcb->asoc.ecn_echo_cnt_onq)) &&
8279	    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
8280	    TAILQ_EMPTY(&asoc->send_queue) &&
8281	    stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
8282	nothing_to_send:
8283		*reason_code = 9;
8284		return (0);
8285	}
8286	if (asoc->peers_rwnd == 0) {
8287		/* No room in peers rwnd */
8288		*reason_code = 1;
8289		if (asoc->total_flight > 0) {
8290			/* we are allowed one chunk in flight */
8291			no_data_chunks = 1;
8292		}
8293	}
8294	if (stcb->asoc.ecn_echo_cnt_onq) {
8295		/* Record where a sack goes, if any */
8296		if (no_data_chunks &&
8297		    (asoc->ctrl_queue_cnt == stcb->asoc.ecn_echo_cnt_onq)) {
8298			/* Nothing but ECNe to send - we don't do that */
8299			goto nothing_to_send;
8300		}
8301		TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
8302			if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
8303			    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK)) {
8304				sack_goes_to = chk->whoTo;
8305				break;
8306			}
8307		}
8308	}
8309	max_rwnd_per_dest = ((asoc->peers_rwnd + asoc->total_flight) / asoc->numnets);
8310	if (stcb->sctp_socket)
8311		max_send_per_dest = SCTP_SB_LIMIT_SND(stcb->sctp_socket) / asoc->numnets;
8312	else
8313		max_send_per_dest = 0;
8314	if (no_data_chunks == 0) {
8315		/* How many non-directed chunks are there? */
8316		TAILQ_FOREACH(chk, &asoc->send_queue, sctp_next) {
8317			if (chk->whoTo == NULL) {
8318				/* We already have non-directed
8319				 * chunks on the queue, no need
8320				 * to do a fill-up.
8321				 */
8322				skip_fill_up = 1;
8323				break;
8324			}
8325		}
8326
8327	}
8328	if ((no_data_chunks == 0) &&
8329	    (skip_fill_up == 0) &&
8330	    (!stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc))) {
8331		TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
8332			/*
8333			 * This for loop we are in takes in
8334			 * each net, if its's got space in cwnd and
8335			 * has data sent to it (when CMT is off) then it
8336			 * calls sctp_fill_outqueue for the net. This gets
8337			 * data on the send queue for that network.
8338			 *
8339			 * In sctp_fill_outqueue TSN's are assigned and
8340			 * data is copied out of the stream buffers. Note
8341			 * mostly copy by reference (we hope).
8342			 */
8343			net->window_probe = 0;
8344			if ((net != stcb->asoc.alternate) &&
8345			    ((net->dest_state & SCTP_ADDR_PF) ||
8346			     (!(net->dest_state & SCTP_ADDR_REACHABLE)) ||
8347			     (net->dest_state & SCTP_ADDR_UNCONFIRMED))) {
8348				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8349					sctp_log_cwnd(stcb, net, 1,
8350						      SCTP_CWND_LOG_FILL_OUTQ_CALLED);
8351				}
8352			        continue;
8353			}
8354			if ((stcb->asoc.cc_functions.sctp_cwnd_new_transmission_begins) &&
8355			    (net->flight_size == 0)) {
8356				(*stcb->asoc.cc_functions.sctp_cwnd_new_transmission_begins)(stcb, net);
8357			}
8358			if (net->flight_size >= net->cwnd) {
8359				/* skip this network, no room - can't fill */
8360				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8361					sctp_log_cwnd(stcb, net, 3,
8362						      SCTP_CWND_LOG_FILL_OUTQ_CALLED);
8363				}
8364				continue;
8365			}
8366			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8367				sctp_log_cwnd(stcb, net, 4, SCTP_CWND_LOG_FILL_OUTQ_CALLED);
8368			}
8369			sctp_fill_outqueue(stcb, net, frag_point, eeor_mode, &quit_now, so_locked);
8370			if (quit_now) {
8371				/* memory alloc failure */
8372				no_data_chunks = 1;
8373				break;
8374			}
8375		}
8376	}
8377	/* now service each destination and send out what we can for it */
8378	/* Nothing to send? */
8379	if (TAILQ_EMPTY(&asoc->control_send_queue) &&
8380	    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
8381	    TAILQ_EMPTY(&asoc->send_queue)) {
8382		*reason_code = 8;
8383		return (0);
8384	}
8385
8386	if (asoc->sctp_cmt_on_off > 0) {
8387		/* get the last start point */
8388		start_at = asoc->last_net_cmt_send_started;
8389		if (start_at == NULL) {
8390			/* null so to beginning */
8391			start_at = TAILQ_FIRST(&asoc->nets);
8392		} else {
8393			start_at = TAILQ_NEXT(asoc->last_net_cmt_send_started, sctp_next);
8394			if (start_at == NULL) {
8395				start_at = TAILQ_FIRST(&asoc->nets);
8396			}
8397		}
8398		asoc->last_net_cmt_send_started = start_at;
8399	} else {
8400		start_at = TAILQ_FIRST(&asoc->nets);
8401	}
8402	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
8403		if (chk->whoTo == NULL) {
8404			if (asoc->alternate) {
8405				chk->whoTo = asoc->alternate;
8406			} else {
8407				chk->whoTo = asoc->primary_destination;
8408			}
8409			atomic_add_int(&chk->whoTo->ref_count, 1);
8410		}
8411	}
8412	old_start_at = NULL;
8413again_one_more_time:
8414	for (net = start_at ; net != NULL; net = TAILQ_NEXT(net, sctp_next)) {
8415		/* how much can we send? */
8416		/* SCTPDBG("Examine for sending net:%x\n", (uint32_t)net); */
8417		if (old_start_at && (old_start_at == net)) {
8418			/* through list ocmpletely. */
8419			break;
8420		}
8421		tsns_sent = 0xa;
8422		if (TAILQ_EMPTY(&asoc->control_send_queue) &&
8423		    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
8424		    (net->flight_size >= net->cwnd)) {
8425			/* Nothing on control or asconf and flight is full, we can skip
8426			 * even in the CMT case.
8427			 */
8428			continue;
8429		}
8430		bundle_at = 0;
8431		endoutchain = outchain = NULL;
8432		no_fragmentflg = 1;
8433		one_chunk = 0;
8434		if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
8435			skip_data_for_this_net = 1;
8436		} else {
8437			skip_data_for_this_net = 0;
8438		}
8439#if !(defined(__Panda__) || defined(__Windows__) || defined(__Userspace__) || defined(__APPLE__))
8440		if ((net->ro.ro_rt) && (net->ro.ro_rt->rt_ifp)) {
8441			/*
8442			 * if we have a route and an ifp check to see if we
8443			 * have room to send to this guy
8444			 */
8445			struct ifnet *ifp;
8446
8447			ifp = net->ro.ro_rt->rt_ifp;
8448			if ((ifp->if_snd.ifq_len + 2) >= ifp->if_snd.ifq_maxlen) {
8449				SCTP_STAT_INCR(sctps_ifnomemqueued);
8450				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
8451					sctp_log_maxburst(stcb, net, ifp->if_snd.ifq_len, ifp->if_snd.ifq_maxlen, SCTP_MAX_IFP_APPLIED);
8452				}
8453				continue;
8454			}
8455		}
8456#endif
8457		switch (((struct sockaddr *)&net->ro._l_addr)->sa_family) {
8458#ifdef INET
8459		case AF_INET:
8460			mtu = net->mtu - (sizeof(struct ip) + sizeof(struct sctphdr));
8461			break;
8462#endif
8463#ifdef INET6
8464		case AF_INET6:
8465			mtu = net->mtu - (sizeof(struct ip6_hdr) + sizeof(struct sctphdr));
8466			break;
8467#endif
8468#if defined(__Userspace__)
8469		case AF_CONN:
8470			mtu = net->mtu - sizeof(struct sctphdr);
8471			break;
8472#endif
8473		default:
8474			/* TSNH */
8475			mtu = net->mtu;
8476			break;
8477		}
8478		mx_mtu = mtu;
8479		to_out = 0;
8480		if (mtu > asoc->peers_rwnd) {
8481			if (asoc->total_flight > 0) {
8482				/* We have a packet in flight somewhere */
8483				r_mtu = asoc->peers_rwnd;
8484			} else {
8485				/* We are always allowed to send one MTU out */
8486				one_chunk = 1;
8487				r_mtu = mtu;
8488			}
8489		} else {
8490			r_mtu = mtu;
8491		}
8492		/************************/
8493		/* ASCONF transmission */
8494		/************************/
8495		/* Now first lets go through the asconf queue */
8496		TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
8497			if (chk->rec.chunk_id.id != SCTP_ASCONF) {
8498				continue;
8499			}
8500			if (chk->whoTo == NULL) {
8501				if (asoc->alternate == NULL) {
8502					if (asoc->primary_destination != net) {
8503						break;
8504					}
8505				} else {
8506					if (asoc->alternate != net) {
8507						break;
8508					}
8509				}
8510			} else {
8511				if (chk->whoTo != net) {
8512					break;
8513				}
8514			}
8515			if (chk->data == NULL) {
8516				break;
8517			}
8518			if (chk->sent != SCTP_DATAGRAM_UNSENT &&
8519			    chk->sent != SCTP_DATAGRAM_RESEND) {
8520				break;
8521			}
8522			/*
8523			 * if no AUTH is yet included and this chunk
8524			 * requires it, make sure to account for it.  We
8525			 * don't apply the size until the AUTH chunk is
8526			 * actually added below in case there is no room for
8527			 * this chunk. NOTE: we overload the use of "omtu"
8528			 * here
8529			 */
8530			if ((auth == NULL) &&
8531			    sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8532							stcb->asoc.peer_auth_chunks)) {
8533				omtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8534			} else
8535				omtu = 0;
8536			/* Here we do NOT factor the r_mtu */
8537			if ((chk->send_size < (int)(mtu - omtu)) ||
8538			    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
8539				/*
8540				 * We probably should glom the mbuf chain
8541				 * from the chk->data for control but the
8542				 * problem is it becomes yet one more level
8543				 * of tracking to do if for some reason
8544				 * output fails. Then I have got to
8545				 * reconstruct the merged control chain.. el
8546				 * yucko.. for now we take the easy way and
8547				 * do the copy
8548				 */
8549				/*
8550				 * Add an AUTH chunk, if chunk requires it
8551				 * save the offset into the chain for AUTH
8552				 */
8553				if ((auth == NULL) &&
8554				    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8555								 stcb->asoc.peer_auth_chunks))) {
8556					outchain = sctp_add_auth_chunk(outchain,
8557								       &endoutchain,
8558								       &auth,
8559								       &auth_offset,
8560								       stcb,
8561								       chk->rec.chunk_id.id);
8562					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8563				}
8564				outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain,
8565							       (int)chk->rec.chunk_id.can_take_data,
8566							       chk->send_size, chk->copy_by_ref);
8567				if (outchain == NULL) {
8568					*reason_code = 8;
8569					SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8570					return (ENOMEM);
8571				}
8572				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8573				/* update our MTU size */
8574				if (mtu > (chk->send_size + omtu))
8575					mtu -= (chk->send_size + omtu);
8576				else
8577					mtu = 0;
8578				to_out += (chk->send_size + omtu);
8579				/* Do clear IP_DF ? */
8580				if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8581					no_fragmentflg = 0;
8582				}
8583				if (chk->rec.chunk_id.can_take_data)
8584					chk->data = NULL;
8585				/*
8586				 * set hb flag since we can
8587				 * use these for RTO
8588				 */
8589				hbflag = 1;
8590				asconf = 1;
8591				/*
8592				 * should sysctl this: don't
8593				 * bundle data with ASCONF
8594				 * since it requires AUTH
8595				 */
8596				no_data_chunks = 1;
8597				chk->sent = SCTP_DATAGRAM_SENT;
8598				if (chk->whoTo == NULL) {
8599					chk->whoTo = net;
8600					atomic_add_int(&net->ref_count, 1);
8601				}
8602				chk->snd_count++;
8603				if (mtu == 0) {
8604					/*
8605					 * Ok we are out of room but we can
8606					 * output without effecting the
8607					 * flight size since this little guy
8608					 * is a control only packet.
8609					 */
8610					sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, net);
8611					/*
8612					 * do NOT clear the asconf
8613					 * flag as it is used to do
8614					 * appropriate source address
8615					 * selection.
8616					 */
8617					if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
8618					                                        (struct sockaddr *)&net->ro._l_addr,
8619					                                        outchain, auth_offset, auth,
8620					                                        stcb->asoc.authinfo.active_keyid,
8621					                                        no_fragmentflg, 0, asconf,
8622					                                        inp->sctp_lport, stcb->rport,
8623					                                        htonl(stcb->asoc.peer_vtag),
8624					                                        net->port, NULL,
8625#if defined(__FreeBSD__)
8626					                                        0, 0,
8627#endif
8628					                                        so_locked))) {
8629						if (error == ENOBUFS) {
8630							asoc->ifp_had_enobuf = 1;
8631							SCTP_STAT_INCR(sctps_lowlevelerr);
8632						}
8633						if (from_where == 0) {
8634							SCTP_STAT_INCR(sctps_lowlevelerrusr);
8635						}
8636						if (*now_filled == 0) {
8637							(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
8638							*now_filled = 1;
8639							*now = net->last_sent_time;
8640						} else {
8641							net->last_sent_time = *now;
8642						}
8643						hbflag = 0;
8644						/* error, could not output */
8645						if (error == EHOSTUNREACH) {
8646							/*
8647							 * Destination went
8648							 * unreachable
8649							 * during this send
8650							 */
8651							sctp_move_chunks_from_net(stcb, net);
8652						}
8653						*reason_code = 7;
8654						continue;
8655					} else
8656						asoc->ifp_had_enobuf = 0;
8657					if (*now_filled == 0) {
8658						(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
8659						*now_filled = 1;
8660						*now = net->last_sent_time;
8661					} else {
8662						net->last_sent_time = *now;
8663					}
8664					hbflag = 0;
8665					/*
8666					 * increase the number we sent, if a
8667					 * cookie is sent we don't tell them
8668					 * any was sent out.
8669					 */
8670					outchain = endoutchain = NULL;
8671					auth = NULL;
8672					auth_offset = 0;
8673					if (!no_out_cnt)
8674						*num_out += ctl_cnt;
8675					/* recalc a clean slate and setup */
8676					switch (net->ro._l_addr.sa.sa_family) {
8677#ifdef INET
8678						case AF_INET:
8679							mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8680							break;
8681#endif
8682#ifdef INET6
8683						case AF_INET6:
8684							mtu = net->mtu - SCTP_MIN_OVERHEAD;
8685							break;
8686#endif
8687#if defined(__Userspace__)
8688						case AF_CONN:
8689							mtu = net->mtu - sizeof(struct sctphdr);
8690							break;
8691#endif
8692						default:
8693							/* TSNH */
8694							mtu = net->mtu;
8695							break;
8696					}
8697					to_out = 0;
8698					no_fragmentflg = 1;
8699				}
8700			}
8701		}
8702		/************************/
8703		/* Control transmission */
8704		/************************/
8705		/* Now first lets go through the control queue */
8706		TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
8707			if ((sack_goes_to) &&
8708			    (chk->rec.chunk_id.id == SCTP_ECN_ECHO) &&
8709			    (chk->whoTo != sack_goes_to)) {
8710				/*
8711				 * if we have a sack in queue, and we are looking at an
8712				 * ecn echo that is NOT queued to where the sack is going..
8713				 */
8714				if (chk->whoTo == net) {
8715					/* Don't transmit it to where its going (current net) */
8716					continue;
8717				} else if (sack_goes_to == net) {
8718					/* But do transmit it to this address */
8719					goto skip_net_check;
8720				}
8721			}
8722			if (chk->whoTo == NULL) {
8723				if (asoc->alternate == NULL) {
8724					if (asoc->primary_destination != net) {
8725						continue;
8726					}
8727				} else {
8728					if (asoc->alternate != net) {
8729						continue;
8730					}
8731				}
8732			} else {
8733				if (chk->whoTo != net) {
8734					continue;
8735				}
8736			}
8737		skip_net_check:
8738			if (chk->data == NULL) {
8739				continue;
8740			}
8741			if (chk->sent != SCTP_DATAGRAM_UNSENT) {
8742				/*
8743				 * It must be unsent. Cookies and ASCONF's
8744				 * hang around but there timers will force
8745				 * when marked for resend.
8746				 */
8747				continue;
8748			}
8749			/*
8750			 * if no AUTH is yet included and this chunk
8751			 * requires it, make sure to account for it.  We
8752			 * don't apply the size until the AUTH chunk is
8753			 * actually added below in case there is no room for
8754			 * this chunk. NOTE: we overload the use of "omtu"
8755			 * here
8756			 */
8757			if ((auth == NULL) &&
8758			    sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8759							stcb->asoc.peer_auth_chunks)) {
8760				omtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8761			} else
8762				omtu = 0;
8763			/* Here we do NOT factor the r_mtu */
8764			if ((chk->send_size <= (int)(mtu - omtu)) ||
8765			    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
8766				/*
8767				 * We probably should glom the mbuf chain
8768				 * from the chk->data for control but the
8769				 * problem is it becomes yet one more level
8770				 * of tracking to do if for some reason
8771				 * output fails. Then I have got to
8772				 * reconstruct the merged control chain.. el
8773				 * yucko.. for now we take the easy way and
8774				 * do the copy
8775				 */
8776				/*
8777				 * Add an AUTH chunk, if chunk requires it
8778				 * save the offset into the chain for AUTH
8779				 */
8780				if ((auth == NULL) &&
8781				    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8782								 stcb->asoc.peer_auth_chunks))) {
8783					outchain = sctp_add_auth_chunk(outchain,
8784								       &endoutchain,
8785								       &auth,
8786								       &auth_offset,
8787								       stcb,
8788								       chk->rec.chunk_id.id);
8789					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8790				}
8791				outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain,
8792							       (int)chk->rec.chunk_id.can_take_data,
8793							       chk->send_size, chk->copy_by_ref);
8794				if (outchain == NULL) {
8795					*reason_code = 8;
8796					SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8797					return (ENOMEM);
8798				}
8799				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8800				/* update our MTU size */
8801				if (mtu > (chk->send_size + omtu))
8802					mtu -= (chk->send_size + omtu);
8803				else
8804					mtu = 0;
8805				to_out += (chk->send_size + omtu);
8806				/* Do clear IP_DF ? */
8807				if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8808					no_fragmentflg = 0;
8809				}
8810				if (chk->rec.chunk_id.can_take_data)
8811					chk->data = NULL;
8812				/* Mark things to be removed, if needed */
8813				if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
8814				    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK) || /* EY */
8815				    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) ||
8816				    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_ACK) ||
8817				    (chk->rec.chunk_id.id == SCTP_SHUTDOWN) ||
8818				    (chk->rec.chunk_id.id == SCTP_SHUTDOWN_ACK) ||
8819				    (chk->rec.chunk_id.id == SCTP_OPERATION_ERROR) ||
8820				    (chk->rec.chunk_id.id == SCTP_COOKIE_ACK) ||
8821				    (chk->rec.chunk_id.id == SCTP_ECN_CWR) ||
8822				    (chk->rec.chunk_id.id == SCTP_PACKET_DROPPED) ||
8823				    (chk->rec.chunk_id.id == SCTP_ASCONF_ACK)) {
8824					if (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) {
8825						hbflag = 1;
8826					}
8827					/* remove these chunks at the end */
8828					if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
8829					    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK)) {
8830						/* turn off the timer */
8831						if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
8832							sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
8833									inp, stcb, net, SCTP_FROM_SCTP_OUTPUT+SCTP_LOC_1);
8834						}
8835					}
8836					ctl_cnt++;
8837				} else {
8838					/*
8839					 * Other chunks, since they have
8840					 * timers running (i.e. COOKIE)
8841					 * we just "trust" that it
8842					 * gets sent or retransmitted.
8843					 */
8844					ctl_cnt++;
8845					if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
8846						cookie = 1;
8847						no_out_cnt = 1;
8848					} else if (chk->rec.chunk_id.id == SCTP_ECN_ECHO) {
8849						/*
8850						 * Increment ecne send count here
8851						 * this means we may be over-zealous in
8852						 * our counting if the send fails, but its
8853						 * the best place to do it (we used to do
8854						 * it in the queue of the chunk, but that did
8855						 * not tell how many times it was sent.
8856						 */
8857						SCTP_STAT_INCR(sctps_sendecne);
8858					}
8859					chk->sent = SCTP_DATAGRAM_SENT;
8860					if (chk->whoTo == NULL) {
8861						chk->whoTo = net;
8862						atomic_add_int(&net->ref_count, 1);
8863					}
8864					chk->snd_count++;
8865				}
8866				if (mtu == 0) {
8867					/*
8868					 * Ok we are out of room but we can
8869					 * output without effecting the
8870					 * flight size since this little guy
8871					 * is a control only packet.
8872					 */
8873					if (asconf) {
8874						sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, net);
8875						/*
8876						 * do NOT clear the asconf
8877						 * flag as it is used to do
8878						 * appropriate source address
8879						 * selection.
8880						 */
8881					}
8882					if (cookie) {
8883						sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
8884						cookie = 0;
8885					}
8886					if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
8887					                                        (struct sockaddr *)&net->ro._l_addr,
8888					                                        outchain,
8889					                                        auth_offset, auth,
8890					                                        stcb->asoc.authinfo.active_keyid,
8891					                                        no_fragmentflg, 0, asconf,
8892					                                        inp->sctp_lport, stcb->rport,
8893					                                        htonl(stcb->asoc.peer_vtag),
8894					                                        net->port, NULL,
8895#if defined(__FreeBSD__)
8896					                                        0, 0,
8897#endif
8898					                                        so_locked))) {
8899						if (error == ENOBUFS) {
8900							asoc->ifp_had_enobuf = 1;
8901							SCTP_STAT_INCR(sctps_lowlevelerr);
8902						}
8903						if (from_where == 0) {
8904							SCTP_STAT_INCR(sctps_lowlevelerrusr);
8905						}
8906						/* error, could not output */
8907						if (hbflag) {
8908							if (*now_filled == 0) {
8909								(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
8910								*now_filled = 1;
8911								*now = net->last_sent_time;
8912							} else {
8913								net->last_sent_time = *now;
8914							}
8915							hbflag = 0;
8916						}
8917						if (error == EHOSTUNREACH) {
8918							/*
8919							 * Destination went
8920							 * unreachable
8921							 * during this send
8922							 */
8923							sctp_move_chunks_from_net(stcb, net);
8924						}
8925						*reason_code = 7;
8926						continue;
8927					} else
8928						asoc->ifp_had_enobuf = 0;
8929					/* Only HB or ASCONF advances time */
8930					if (hbflag) {
8931						if (*now_filled == 0) {
8932							(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
8933							*now_filled = 1;
8934							*now = net->last_sent_time;
8935						} else {
8936							net->last_sent_time = *now;
8937						}
8938						hbflag = 0;
8939					}
8940					/*
8941					 * increase the number we sent, if a
8942					 * cookie is sent we don't tell them
8943					 * any was sent out.
8944					 */
8945					outchain = endoutchain = NULL;
8946					auth = NULL;
8947					auth_offset = 0;
8948					if (!no_out_cnt)
8949						*num_out += ctl_cnt;
8950					/* recalc a clean slate and setup */
8951					switch (net->ro._l_addr.sa.sa_family) {
8952#ifdef INET
8953						case AF_INET:
8954							mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8955							break;
8956#endif
8957#ifdef INET6
8958						case AF_INET6:
8959							mtu = net->mtu - SCTP_MIN_OVERHEAD;
8960							break;
8961#endif
8962#if defined(__Userspace__)
8963						case AF_CONN:
8964							mtu = net->mtu - sizeof(struct sctphdr);
8965							break;
8966#endif
8967						default:
8968							/* TSNH */
8969							mtu = net->mtu;
8970							break;
8971					}
8972					to_out = 0;
8973					no_fragmentflg = 1;
8974				}
8975			}
8976		}
8977		/* JRI: if dest is in PF state, do not send data to it */
8978		if ((asoc->sctp_cmt_on_off > 0) &&
8979		    (net != stcb->asoc.alternate) &&
8980		    (net->dest_state & SCTP_ADDR_PF)) {
8981			goto no_data_fill;
8982		}
8983		if (net->flight_size >= net->cwnd) {
8984			goto no_data_fill;
8985		}
8986		if ((asoc->sctp_cmt_on_off > 0) &&
8987		    (SCTP_BASE_SYSCTL(sctp_buffer_splitting) & SCTP_RECV_BUFFER_SPLITTING) &&
8988		    (net->flight_size > max_rwnd_per_dest)) {
8989			goto no_data_fill;
8990		}
8991		/*
8992		 * We need a specific accounting for the usage of the
8993		 * send buffer. We also need to check the number of messages
8994		 * per net. For now, this is better than nothing and it
8995		 * disabled by default...
8996		 */
8997		if ((asoc->sctp_cmt_on_off > 0) &&
8998		    (SCTP_BASE_SYSCTL(sctp_buffer_splitting) & SCTP_SEND_BUFFER_SPLITTING) &&
8999		    (max_send_per_dest > 0) &&
9000		    (net->flight_size > max_send_per_dest)) {
9001			goto no_data_fill;
9002		}
9003		/*********************/
9004		/* Data transmission */
9005		/*********************/
9006		/*
9007		 * if AUTH for DATA is required and no AUTH has been added
9008		 * yet, account for this in the mtu now... if no data can be
9009		 * bundled, this adjustment won't matter anyways since the
9010		 * packet will be going out...
9011		 */
9012		data_auth_reqd = sctp_auth_is_required_chunk(SCTP_DATA,
9013							     stcb->asoc.peer_auth_chunks);
9014		if (data_auth_reqd && (auth == NULL)) {
9015			mtu -= sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
9016		}
9017		/* now lets add any data within the MTU constraints */
9018		switch (((struct sockaddr *)&net->ro._l_addr)->sa_family) {
9019#ifdef INET
9020		case AF_INET:
9021			if (net->mtu > (sizeof(struct ip) + sizeof(struct sctphdr)))
9022				omtu = net->mtu - (sizeof(struct ip) + sizeof(struct sctphdr));
9023			else
9024				omtu = 0;
9025			break;
9026#endif
9027#ifdef INET6
9028		case AF_INET6:
9029			if (net->mtu > (sizeof(struct ip6_hdr) + sizeof(struct sctphdr)))
9030				omtu = net->mtu - (sizeof(struct ip6_hdr) + sizeof(struct sctphdr));
9031			else
9032				omtu = 0;
9033			break;
9034#endif
9035#if defined(__Userspace__)
9036		case AF_CONN:
9037			if (net->mtu > sizeof(struct sctphdr)) {
9038				omtu = net->mtu - sizeof(struct sctphdr);
9039			} else {
9040				omtu = 0;
9041			}
9042			break;
9043#endif
9044		default:
9045			/* TSNH */
9046			omtu = 0;
9047			break;
9048		}
9049		if ((((asoc->state & SCTP_STATE_OPEN) == SCTP_STATE_OPEN) &&
9050		     (skip_data_for_this_net == 0)) ||
9051		    (cookie)) {
9052			TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
9053				if (no_data_chunks) {
9054					/* let only control go out */
9055					*reason_code = 1;
9056					break;
9057				}
9058				if (net->flight_size >= net->cwnd) {
9059					/* skip this net, no room for data */
9060					*reason_code = 2;
9061					break;
9062				}
9063				if ((chk->whoTo != NULL) &&
9064				    (chk->whoTo != net)) {
9065					/* Don't send the chunk on this net */
9066					continue;
9067				}
9068
9069				if (asoc->sctp_cmt_on_off == 0) {
9070					if ((asoc->alternate) &&
9071					    (asoc->alternate != net) &&
9072					    (chk->whoTo == NULL)) {
9073						continue;
9074					} else if ((net != asoc->primary_destination) &&
9075						   (asoc->alternate == NULL) &&
9076						   (chk->whoTo == NULL)) {
9077						continue;
9078					}
9079				}
9080				if ((chk->send_size > omtu) && ((chk->flags & CHUNK_FLAGS_FRAGMENT_OK) == 0)) {
9081					/*-
9082					 * strange, we have a chunk that is
9083					 * to big for its destination and
9084					 * yet no fragment ok flag.
9085					 * Something went wrong when the
9086					 * PMTU changed...we did not mark
9087					 * this chunk for some reason?? I
9088					 * will fix it here by letting IP
9089					 * fragment it for now and printing
9090					 * a warning. This really should not
9091					 * happen ...
9092					 */
9093					SCTP_PRINTF("Warning chunk of %d bytes > mtu:%d and yet PMTU disc missed\n",
9094						    chk->send_size, mtu);
9095					chk->flags |= CHUNK_FLAGS_FRAGMENT_OK;
9096				}
9097				if (SCTP_BASE_SYSCTL(sctp_enable_sack_immediately) &&
9098				    ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) == SCTP_STATE_SHUTDOWN_PENDING)) {
9099					struct sctp_data_chunk *dchkh;
9100
9101					dchkh = mtod(chk->data, struct sctp_data_chunk *);
9102					dchkh->ch.chunk_flags |= SCTP_DATA_SACK_IMMEDIATELY;
9103				}
9104				if (((chk->send_size <= mtu) && (chk->send_size <= r_mtu)) ||
9105				    ((chk->flags & CHUNK_FLAGS_FRAGMENT_OK) && (chk->send_size <= asoc->peers_rwnd))) {
9106					/* ok we will add this one */
9107
9108					/*
9109					 * Add an AUTH chunk, if chunk
9110					 * requires it, save the offset into
9111					 * the chain for AUTH
9112					 */
9113					if (data_auth_reqd) {
9114						if (auth == NULL) {
9115							outchain = sctp_add_auth_chunk(outchain,
9116										       &endoutchain,
9117										       &auth,
9118										       &auth_offset,
9119										       stcb,
9120										       SCTP_DATA);
9121							auth_keyid = chk->auth_keyid;
9122							override_ok = 0;
9123							SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9124						} else if (override_ok) {
9125							/* use this data's keyid */
9126							auth_keyid = chk->auth_keyid;
9127							override_ok = 0;
9128						} else if (auth_keyid != chk->auth_keyid) {
9129							/* different keyid, so done bundling */
9130							break;
9131						}
9132					}
9133					outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain, 0,
9134								       chk->send_size, chk->copy_by_ref);
9135					if (outchain == NULL) {
9136						SCTPDBG(SCTP_DEBUG_OUTPUT3, "No memory?\n");
9137						if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
9138							sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
9139						}
9140						*reason_code = 3;
9141						SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
9142						return (ENOMEM);
9143					}
9144					/* upate our MTU size */
9145					/* Do clear IP_DF ? */
9146					if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
9147						no_fragmentflg = 0;
9148					}
9149					/* unsigned subtraction of mtu */
9150					if (mtu > chk->send_size)
9151						mtu -= chk->send_size;
9152					else
9153						mtu = 0;
9154					/* unsigned subtraction of r_mtu */
9155					if (r_mtu > chk->send_size)
9156						r_mtu -= chk->send_size;
9157					else
9158						r_mtu = 0;
9159
9160					to_out += chk->send_size;
9161					if ((to_out > mx_mtu) && no_fragmentflg) {
9162#ifdef INVARIANTS
9163						panic("Exceeding mtu of %d out size is %d", mx_mtu, to_out);
9164#else
9165						SCTP_PRINTF("Exceeding mtu of %d out size is %d\n",
9166							    mx_mtu, to_out);
9167#endif
9168					}
9169					chk->window_probe = 0;
9170					data_list[bundle_at++] = chk;
9171					if (bundle_at >= SCTP_MAX_DATA_BUNDLING) {
9172						break;
9173					}
9174					if (chk->sent == SCTP_DATAGRAM_UNSENT) {
9175						if ((chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) == 0) {
9176							SCTP_STAT_INCR_COUNTER64(sctps_outorderchunks);
9177						} else {
9178							SCTP_STAT_INCR_COUNTER64(sctps_outunorderchunks);
9179						}
9180						if (((chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) == SCTP_DATA_LAST_FRAG) &&
9181						    ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == 0))
9182							/* Count number of user msg's that were fragmented
9183							 * we do this by counting when we see a LAST fragment
9184							 * only.
9185							 */
9186							SCTP_STAT_INCR_COUNTER64(sctps_fragusrmsgs);
9187					}
9188					if ((mtu == 0) || (r_mtu == 0) || (one_chunk)) {
9189						if ((one_chunk) && (stcb->asoc.total_flight == 0)) {
9190							data_list[0]->window_probe = 1;
9191							net->window_probe = 1;
9192						}
9193						break;
9194					}
9195				} else {
9196					/*
9197					 * Must be sent in order of the
9198					 * TSN's (on a network)
9199					 */
9200					break;
9201				}
9202			}	/* for (chunk gather loop for this net) */
9203		}		/* if asoc.state OPEN */
9204	no_data_fill:
9205		/* Is there something to send for this destination? */
9206		if (outchain) {
9207			/* We may need to start a control timer or two */
9208			if (asconf) {
9209				sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp,
9210						 stcb, net);
9211				/*
9212				 * do NOT clear the asconf flag as it is used
9213				 * to do appropriate source address selection.
9214				 */
9215			}
9216			if (cookie) {
9217				sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
9218				cookie = 0;
9219			}
9220			/* must start a send timer if data is being sent */
9221			if (bundle_at && (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer))) {
9222				/*
9223				 * no timer running on this destination
9224				 * restart it.
9225				 */
9226				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
9227			}
9228			/* Now send it, if there is anything to send :> */
9229			if ((error = sctp_lowlevel_chunk_output(inp,
9230			                                        stcb,
9231			                                        net,
9232			                                        (struct sockaddr *)&net->ro._l_addr,
9233			                                        outchain,
9234			                                        auth_offset,
9235			                                        auth,
9236			                                        auth_keyid,
9237			                                        no_fragmentflg,
9238			                                        bundle_at,
9239			                                        asconf,
9240			                                        inp->sctp_lport, stcb->rport,
9241			                                        htonl(stcb->asoc.peer_vtag),
9242			                                        net->port, NULL,
9243#if defined(__FreeBSD__)
9244			                                        0, 0,
9245#endif
9246			                                        so_locked))) {
9247				/* error, we could not output */
9248				if (error == ENOBUFS) {
9249					SCTP_STAT_INCR(sctps_lowlevelerr);
9250					asoc->ifp_had_enobuf = 1;
9251				}
9252				if (from_where == 0) {
9253					SCTP_STAT_INCR(sctps_lowlevelerrusr);
9254				}
9255				SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
9256				if (hbflag) {
9257					if (*now_filled == 0) {
9258						(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
9259						*now_filled = 1;
9260						*now = net->last_sent_time;
9261					} else {
9262						net->last_sent_time = *now;
9263					}
9264					hbflag = 0;
9265				}
9266				if (error == EHOSTUNREACH) {
9267					/*
9268					 * Destination went unreachable
9269					 * during this send
9270					 */
9271					sctp_move_chunks_from_net(stcb, net);
9272				}
9273				*reason_code = 6;
9274				/*-
9275				 * I add this line to be paranoid. As far as
9276				 * I can tell the continue, takes us back to
9277				 * the top of the for, but just to make sure
9278				 * I will reset these again here.
9279				 */
9280				ctl_cnt = bundle_at = 0;
9281				continue; /* This takes us back to the for() for the nets. */
9282			} else {
9283				asoc->ifp_had_enobuf = 0;
9284			}
9285			endoutchain = NULL;
9286			auth = NULL;
9287			auth_offset = 0;
9288			if (bundle_at || hbflag) {
9289				/* For data/asconf and hb set time */
9290				if (*now_filled == 0) {
9291					(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
9292					*now_filled = 1;
9293					*now = net->last_sent_time;
9294				} else {
9295					net->last_sent_time = *now;
9296				}
9297			}
9298			if (!no_out_cnt) {
9299				*num_out += (ctl_cnt + bundle_at);
9300			}
9301			if (bundle_at) {
9302				/* setup for a RTO measurement */
9303				tsns_sent = data_list[0]->rec.data.TSN_seq;
9304				/* fill time if not already filled */
9305				if (*now_filled == 0) {
9306					(void)SCTP_GETTIME_TIMEVAL(&asoc->time_last_sent);
9307					*now_filled = 1;
9308					*now = asoc->time_last_sent;
9309				} else {
9310					asoc->time_last_sent = *now;
9311				}
9312				if (net->rto_needed) {
9313					data_list[0]->do_rtt = 1;
9314					net->rto_needed = 0;
9315				}
9316				SCTP_STAT_INCR_BY(sctps_senddata, bundle_at);
9317				sctp_clean_up_datalist(stcb, asoc, data_list, bundle_at, net);
9318			}
9319			if (one_chunk) {
9320				break;
9321			}
9322		}
9323		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9324			sctp_log_cwnd(stcb, net, tsns_sent, SCTP_CWND_LOG_FROM_SEND);
9325		}
9326	}
9327	if (old_start_at == NULL) {
9328		old_start_at = start_at;
9329		start_at = TAILQ_FIRST(&asoc->nets);
9330		if (old_start_at)
9331			goto again_one_more_time;
9332	}
9333
9334	/*
9335	 * At the end there should be no NON timed chunks hanging on this
9336	 * queue.
9337	 */
9338	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9339		sctp_log_cwnd(stcb, net, *num_out, SCTP_CWND_LOG_FROM_SEND);
9340	}
9341	if ((*num_out == 0) && (*reason_code == 0)) {
9342		*reason_code = 4;
9343	} else {
9344		*reason_code = 5;
9345	}
9346	sctp_clean_up_ctl(stcb, asoc, so_locked);
9347	return (0);
9348}
9349
9350void
9351sctp_queue_op_err(struct sctp_tcb *stcb, struct mbuf *op_err)
9352{
9353	/*-
9354	 * Prepend a OPERATIONAL_ERROR chunk header and put on the end of
9355	 * the control chunk queue.
9356	 */
9357	struct sctp_chunkhdr *hdr;
9358	struct sctp_tmit_chunk *chk;
9359	struct mbuf *mat;
9360
9361	SCTP_TCB_LOCK_ASSERT(stcb);
9362	sctp_alloc_a_chunk(stcb, chk);
9363	if (chk == NULL) {
9364		/* no memory */
9365		sctp_m_freem(op_err);
9366		return;
9367	}
9368	chk->copy_by_ref = 0;
9369	SCTP_BUF_PREPEND(op_err, sizeof(struct sctp_chunkhdr), M_NOWAIT);
9370	if (op_err == NULL) {
9371		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
9372		return;
9373	}
9374	chk->send_size = 0;
9375	mat = op_err;
9376	while (mat != NULL) {
9377		chk->send_size += SCTP_BUF_LEN(mat);
9378		mat = SCTP_BUF_NEXT(mat);
9379	}
9380	chk->rec.chunk_id.id = SCTP_OPERATION_ERROR;
9381	chk->rec.chunk_id.can_take_data = 1;
9382	chk->sent = SCTP_DATAGRAM_UNSENT;
9383	chk->snd_count = 0;
9384	chk->flags = 0;
9385	chk->asoc = &stcb->asoc;
9386	chk->data = op_err;
9387	chk->whoTo = NULL;
9388	hdr = mtod(op_err, struct sctp_chunkhdr *);
9389	hdr->chunk_type = SCTP_OPERATION_ERROR;
9390	hdr->chunk_flags = 0;
9391	hdr->chunk_length = htons(chk->send_size);
9392	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue,
9393	    chk,
9394	    sctp_next);
9395	chk->asoc->ctrl_queue_cnt++;
9396}
9397
9398int
9399sctp_send_cookie_echo(struct mbuf *m,
9400    int offset,
9401    struct sctp_tcb *stcb,
9402    struct sctp_nets *net)
9403{
9404	/*-
9405	 * pull out the cookie and put it at the front of the control chunk
9406	 * queue.
9407	 */
9408	int at;
9409	struct mbuf *cookie;
9410	struct sctp_paramhdr parm, *phdr;
9411	struct sctp_chunkhdr *hdr;
9412	struct sctp_tmit_chunk *chk;
9413	uint16_t ptype, plen;
9414
9415	/* First find the cookie in the param area */
9416	cookie = NULL;
9417	at = offset + sizeof(struct sctp_init_chunk);
9418
9419	SCTP_TCB_LOCK_ASSERT(stcb);
9420	do {
9421		phdr = sctp_get_next_param(m, at, &parm, sizeof(parm));
9422		if (phdr == NULL) {
9423			return (-3);
9424		}
9425		ptype = ntohs(phdr->param_type);
9426		plen = ntohs(phdr->param_length);
9427		if (ptype == SCTP_STATE_COOKIE) {
9428			int pad;
9429
9430			/* found the cookie */
9431			if ((pad = (plen % 4))) {
9432				plen += 4 - pad;
9433			}
9434			cookie = SCTP_M_COPYM(m, at, plen, M_NOWAIT);
9435			if (cookie == NULL) {
9436				/* No memory */
9437				return (-2);
9438			}
9439#ifdef SCTP_MBUF_LOGGING
9440			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
9441				struct mbuf *mat;
9442
9443				for (mat = cookie; mat; mat = SCTP_BUF_NEXT(mat)) {
9444					if (SCTP_BUF_IS_EXTENDED(mat)) {
9445						sctp_log_mb(mat, SCTP_MBUF_ICOPY);
9446					}
9447				}
9448			}
9449#endif
9450			break;
9451		}
9452		at += SCTP_SIZE32(plen);
9453	} while (phdr);
9454	if (cookie == NULL) {
9455		/* Did not find the cookie */
9456		return (-3);
9457	}
9458	/* ok, we got the cookie lets change it into a cookie echo chunk */
9459
9460	/* first the change from param to cookie */
9461	hdr = mtod(cookie, struct sctp_chunkhdr *);
9462	hdr->chunk_type = SCTP_COOKIE_ECHO;
9463	hdr->chunk_flags = 0;
9464	/* get the chunk stuff now and place it in the FRONT of the queue */
9465	sctp_alloc_a_chunk(stcb, chk);
9466	if (chk == NULL) {
9467		/* no memory */
9468		sctp_m_freem(cookie);
9469		return (-5);
9470	}
9471	chk->copy_by_ref = 0;
9472	chk->send_size = plen;
9473	chk->rec.chunk_id.id = SCTP_COOKIE_ECHO;
9474	chk->rec.chunk_id.can_take_data = 0;
9475	chk->sent = SCTP_DATAGRAM_UNSENT;
9476	chk->snd_count = 0;
9477	chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
9478	chk->asoc = &stcb->asoc;
9479	chk->data = cookie;
9480	chk->whoTo = net;
9481	atomic_add_int(&chk->whoTo->ref_count, 1);
9482	TAILQ_INSERT_HEAD(&chk->asoc->control_send_queue, chk, sctp_next);
9483	chk->asoc->ctrl_queue_cnt++;
9484	return (0);
9485}
9486
9487void
9488sctp_send_heartbeat_ack(struct sctp_tcb *stcb,
9489    struct mbuf *m,
9490    int offset,
9491    int chk_length,
9492    struct sctp_nets *net)
9493{
9494	/*
9495	 * take a HB request and make it into a HB ack and send it.
9496	 */
9497	struct mbuf *outchain;
9498	struct sctp_chunkhdr *chdr;
9499	struct sctp_tmit_chunk *chk;
9500
9501
9502	if (net == NULL)
9503		/* must have a net pointer */
9504		return;
9505
9506	outchain = SCTP_M_COPYM(m, offset, chk_length, M_NOWAIT);
9507	if (outchain == NULL) {
9508		/* gak out of memory */
9509		return;
9510	}
9511#ifdef SCTP_MBUF_LOGGING
9512	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
9513		struct mbuf *mat;
9514
9515		for (mat = outchain; mat; mat = SCTP_BUF_NEXT(mat)) {
9516			if (SCTP_BUF_IS_EXTENDED(mat)) {
9517				sctp_log_mb(mat, SCTP_MBUF_ICOPY);
9518			}
9519		}
9520	}
9521#endif
9522	chdr = mtod(outchain, struct sctp_chunkhdr *);
9523	chdr->chunk_type = SCTP_HEARTBEAT_ACK;
9524	chdr->chunk_flags = 0;
9525	if (chk_length % 4) {
9526		/* need pad */
9527		uint32_t cpthis = 0;
9528		int padlen;
9529
9530		padlen = 4 - (chk_length % 4);
9531		m_copyback(outchain, chk_length, padlen, (caddr_t)&cpthis);
9532	}
9533	sctp_alloc_a_chunk(stcb, chk);
9534	if (chk == NULL) {
9535		/* no memory */
9536		sctp_m_freem(outchain);
9537		return;
9538	}
9539	chk->copy_by_ref = 0;
9540	chk->send_size = chk_length;
9541	chk->rec.chunk_id.id = SCTP_HEARTBEAT_ACK;
9542	chk->rec.chunk_id.can_take_data = 1;
9543	chk->sent = SCTP_DATAGRAM_UNSENT;
9544	chk->snd_count = 0;
9545	chk->flags = 0;
9546	chk->asoc = &stcb->asoc;
9547	chk->data = outchain;
9548	chk->whoTo = net;
9549	atomic_add_int(&chk->whoTo->ref_count, 1);
9550	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9551	chk->asoc->ctrl_queue_cnt++;
9552}
9553
9554void
9555sctp_send_cookie_ack(struct sctp_tcb *stcb)
9556{
9557	/* formulate and queue a cookie-ack back to sender */
9558	struct mbuf *cookie_ack;
9559	struct sctp_chunkhdr *hdr;
9560	struct sctp_tmit_chunk *chk;
9561
9562	SCTP_TCB_LOCK_ASSERT(stcb);
9563
9564	cookie_ack = sctp_get_mbuf_for_msg(sizeof(struct sctp_chunkhdr), 0, M_NOWAIT, 1, MT_HEADER);
9565	if (cookie_ack == NULL) {
9566		/* no mbuf's */
9567		return;
9568	}
9569	SCTP_BUF_RESV_UF(cookie_ack, SCTP_MIN_OVERHEAD);
9570	sctp_alloc_a_chunk(stcb, chk);
9571	if (chk == NULL) {
9572		/* no memory */
9573		sctp_m_freem(cookie_ack);
9574		return;
9575	}
9576	chk->copy_by_ref = 0;
9577	chk->send_size = sizeof(struct sctp_chunkhdr);
9578	chk->rec.chunk_id.id = SCTP_COOKIE_ACK;
9579	chk->rec.chunk_id.can_take_data = 1;
9580	chk->sent = SCTP_DATAGRAM_UNSENT;
9581	chk->snd_count = 0;
9582	chk->flags = 0;
9583	chk->asoc = &stcb->asoc;
9584	chk->data = cookie_ack;
9585	if (chk->asoc->last_control_chunk_from != NULL) {
9586		chk->whoTo = chk->asoc->last_control_chunk_from;
9587		atomic_add_int(&chk->whoTo->ref_count, 1);
9588	} else {
9589		chk->whoTo = NULL;
9590	}
9591	hdr = mtod(cookie_ack, struct sctp_chunkhdr *);
9592	hdr->chunk_type = SCTP_COOKIE_ACK;
9593	hdr->chunk_flags = 0;
9594	hdr->chunk_length = htons(chk->send_size);
9595	SCTP_BUF_LEN(cookie_ack) = chk->send_size;
9596	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9597	chk->asoc->ctrl_queue_cnt++;
9598	return;
9599}
9600
9601
9602void
9603sctp_send_shutdown_ack(struct sctp_tcb *stcb, struct sctp_nets *net)
9604{
9605	/* formulate and queue a SHUTDOWN-ACK back to the sender */
9606	struct mbuf *m_shutdown_ack;
9607	struct sctp_shutdown_ack_chunk *ack_cp;
9608	struct sctp_tmit_chunk *chk;
9609
9610	m_shutdown_ack = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_ack_chunk), 0, M_NOWAIT, 1, MT_HEADER);
9611	if (m_shutdown_ack == NULL) {
9612		/* no mbuf's */
9613		return;
9614	}
9615	SCTP_BUF_RESV_UF(m_shutdown_ack, SCTP_MIN_OVERHEAD);
9616	sctp_alloc_a_chunk(stcb, chk);
9617	if (chk == NULL) {
9618		/* no memory */
9619		sctp_m_freem(m_shutdown_ack);
9620		return;
9621	}
9622	chk->copy_by_ref = 0;
9623	chk->send_size = sizeof(struct sctp_chunkhdr);
9624	chk->rec.chunk_id.id = SCTP_SHUTDOWN_ACK;
9625	chk->rec.chunk_id.can_take_data = 1;
9626	chk->sent = SCTP_DATAGRAM_UNSENT;
9627	chk->snd_count = 0;
9628	chk->flags = 0;
9629	chk->asoc = &stcb->asoc;
9630	chk->data = m_shutdown_ack;
9631	chk->whoTo = net;
9632	if (chk->whoTo) {
9633		atomic_add_int(&chk->whoTo->ref_count, 1);
9634	}
9635	ack_cp = mtod(m_shutdown_ack, struct sctp_shutdown_ack_chunk *);
9636	ack_cp->ch.chunk_type = SCTP_SHUTDOWN_ACK;
9637	ack_cp->ch.chunk_flags = 0;
9638	ack_cp->ch.chunk_length = htons(chk->send_size);
9639	SCTP_BUF_LEN(m_shutdown_ack) = chk->send_size;
9640	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9641	chk->asoc->ctrl_queue_cnt++;
9642	return;
9643}
9644
9645void
9646sctp_send_shutdown(struct sctp_tcb *stcb, struct sctp_nets *net)
9647{
9648	/* formulate and queue a SHUTDOWN to the sender */
9649	struct mbuf *m_shutdown;
9650	struct sctp_shutdown_chunk *shutdown_cp;
9651	struct sctp_tmit_chunk *chk;
9652
9653	m_shutdown = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_chunk), 0, M_NOWAIT, 1, MT_HEADER);
9654	if (m_shutdown == NULL) {
9655		/* no mbuf's */
9656		return;
9657	}
9658	SCTP_BUF_RESV_UF(m_shutdown, SCTP_MIN_OVERHEAD);
9659	sctp_alloc_a_chunk(stcb, chk);
9660	if (chk == NULL) {
9661		/* no memory */
9662		sctp_m_freem(m_shutdown);
9663		return;
9664	}
9665	chk->copy_by_ref = 0;
9666	chk->send_size = sizeof(struct sctp_shutdown_chunk);
9667	chk->rec.chunk_id.id = SCTP_SHUTDOWN;
9668	chk->rec.chunk_id.can_take_data = 1;
9669	chk->sent = SCTP_DATAGRAM_UNSENT;
9670	chk->snd_count = 0;
9671	chk->flags = 0;
9672	chk->asoc = &stcb->asoc;
9673	chk->data = m_shutdown;
9674	chk->whoTo = net;
9675	if (chk->whoTo) {
9676		atomic_add_int(&chk->whoTo->ref_count, 1);
9677	}
9678	shutdown_cp = mtod(m_shutdown, struct sctp_shutdown_chunk *);
9679	shutdown_cp->ch.chunk_type = SCTP_SHUTDOWN;
9680	shutdown_cp->ch.chunk_flags = 0;
9681	shutdown_cp->ch.chunk_length = htons(chk->send_size);
9682	shutdown_cp->cumulative_tsn_ack = htonl(stcb->asoc.cumulative_tsn);
9683	SCTP_BUF_LEN(m_shutdown) = chk->send_size;
9684	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9685	chk->asoc->ctrl_queue_cnt++;
9686	return;
9687}
9688
9689void
9690sctp_send_asconf(struct sctp_tcb *stcb, struct sctp_nets *net, int addr_locked)
9691{
9692	/*
9693	 * formulate and queue an ASCONF to the peer.
9694	 * ASCONF parameters should be queued on the assoc queue.
9695	 */
9696	struct sctp_tmit_chunk *chk;
9697	struct mbuf *m_asconf;
9698	int len;
9699
9700	SCTP_TCB_LOCK_ASSERT(stcb);
9701
9702	if ((!TAILQ_EMPTY(&stcb->asoc.asconf_send_queue)) &&
9703	    (!sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_MULTIPLE_ASCONFS))) {
9704		/* can't send a new one if there is one in flight already */
9705		return;
9706	}
9707
9708	/* compose an ASCONF chunk, maximum length is PMTU */
9709	m_asconf = sctp_compose_asconf(stcb, &len, addr_locked);
9710	if (m_asconf == NULL) {
9711		return;
9712	}
9713
9714	sctp_alloc_a_chunk(stcb, chk);
9715	if (chk == NULL) {
9716		/* no memory */
9717		sctp_m_freem(m_asconf);
9718		return;
9719	}
9720
9721	chk->copy_by_ref = 0;
9722	chk->data = m_asconf;
9723	chk->send_size = len;
9724	chk->rec.chunk_id.id = SCTP_ASCONF;
9725	chk->rec.chunk_id.can_take_data = 0;
9726	chk->sent = SCTP_DATAGRAM_UNSENT;
9727	chk->snd_count = 0;
9728	chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
9729	chk->asoc = &stcb->asoc;
9730	chk->whoTo = net;
9731	if (chk->whoTo) {
9732		atomic_add_int(&chk->whoTo->ref_count, 1);
9733	}
9734	TAILQ_INSERT_TAIL(&chk->asoc->asconf_send_queue, chk, sctp_next);
9735	chk->asoc->ctrl_queue_cnt++;
9736	return;
9737}
9738
9739void
9740sctp_send_asconf_ack(struct sctp_tcb *stcb)
9741{
9742	/*
9743	 * formulate and queue a asconf-ack back to sender.
9744	 * the asconf-ack must be stored in the tcb.
9745	 */
9746	struct sctp_tmit_chunk *chk;
9747	struct sctp_asconf_ack *ack, *latest_ack;
9748	struct mbuf *m_ack;
9749	struct sctp_nets *net = NULL;
9750
9751	SCTP_TCB_LOCK_ASSERT(stcb);
9752	/* Get the latest ASCONF-ACK */
9753	latest_ack = TAILQ_LAST(&stcb->asoc.asconf_ack_sent, sctp_asconf_ackhead);
9754	if (latest_ack == NULL) {
9755		return;
9756	}
9757	if (latest_ack->last_sent_to != NULL &&
9758	    latest_ack->last_sent_to == stcb->asoc.last_control_chunk_from) {
9759		/* we're doing a retransmission */
9760		net = sctp_find_alternate_net(stcb, stcb->asoc.last_control_chunk_from, 0);
9761		if (net == NULL) {
9762			/* no alternate */
9763			if (stcb->asoc.last_control_chunk_from == NULL) {
9764				if (stcb->asoc.alternate) {
9765					net = stcb->asoc.alternate;
9766				} else {
9767					net = stcb->asoc.primary_destination;
9768				}
9769			} else {
9770				net = stcb->asoc.last_control_chunk_from;
9771			}
9772		}
9773	} else {
9774		/* normal case */
9775		if (stcb->asoc.last_control_chunk_from == NULL) {
9776			if (stcb->asoc.alternate) {
9777				net = stcb->asoc.alternate;
9778			} else {
9779				net = stcb->asoc.primary_destination;
9780			}
9781		} else {
9782			net = stcb->asoc.last_control_chunk_from;
9783		}
9784	}
9785	latest_ack->last_sent_to = net;
9786
9787	TAILQ_FOREACH(ack, &stcb->asoc.asconf_ack_sent, next) {
9788		if (ack->data == NULL) {
9789			continue;
9790		}
9791
9792		/* copy the asconf_ack */
9793		m_ack = SCTP_M_COPYM(ack->data, 0, M_COPYALL, M_NOWAIT);
9794		if (m_ack == NULL) {
9795			/* couldn't copy it */
9796			return;
9797		}
9798#ifdef SCTP_MBUF_LOGGING
9799		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
9800			struct mbuf *mat;
9801
9802			for (mat = m_ack; mat; mat = SCTP_BUF_NEXT(mat)) {
9803				if (SCTP_BUF_IS_EXTENDED(mat)) {
9804					sctp_log_mb(mat, SCTP_MBUF_ICOPY);
9805				}
9806			}
9807		}
9808#endif
9809
9810		sctp_alloc_a_chunk(stcb, chk);
9811		if (chk == NULL) {
9812			/* no memory */
9813			if (m_ack)
9814				sctp_m_freem(m_ack);
9815			return;
9816		}
9817		chk->copy_by_ref = 0;
9818
9819		chk->whoTo = net;
9820		if (chk->whoTo) {
9821			atomic_add_int(&chk->whoTo->ref_count, 1);
9822		}
9823		chk->data = m_ack;
9824		chk->send_size = 0;
9825		/* Get size */
9826		chk->send_size = ack->len;
9827		chk->rec.chunk_id.id = SCTP_ASCONF_ACK;
9828		chk->rec.chunk_id.can_take_data = 1;
9829		chk->sent = SCTP_DATAGRAM_UNSENT;
9830		chk->snd_count = 0;
9831		chk->flags |= CHUNK_FLAGS_FRAGMENT_OK; /* XXX */
9832		chk->asoc = &stcb->asoc;
9833
9834		TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9835		chk->asoc->ctrl_queue_cnt++;
9836	}
9837	return;
9838}
9839
9840
9841static int
9842sctp_chunk_retransmission(struct sctp_inpcb *inp,
9843    struct sctp_tcb *stcb,
9844    struct sctp_association *asoc,
9845    int *cnt_out, struct timeval *now, int *now_filled, int *fr_done, int so_locked
9846#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
9847    SCTP_UNUSED
9848#endif
9849    )
9850{
9851	/*-
9852	 * send out one MTU of retransmission. If fast_retransmit is
9853	 * happening we ignore the cwnd. Otherwise we obey the cwnd and
9854	 * rwnd. For a Cookie or Asconf in the control chunk queue we
9855	 * retransmit them by themselves.
9856	 *
9857	 * For data chunks we will pick out the lowest TSN's in the sent_queue
9858	 * marked for resend and bundle them all together (up to a MTU of
9859	 * destination). The address to send to should have been
9860	 * selected/changed where the retransmission was marked (i.e. in FR
9861	 * or t3-timeout routines).
9862	 */
9863	struct sctp_tmit_chunk *data_list[SCTP_MAX_DATA_BUNDLING];
9864	struct sctp_tmit_chunk *chk, *fwd;
9865	struct mbuf *m, *endofchain;
9866	struct sctp_nets *net = NULL;
9867	uint32_t tsns_sent = 0;
9868	int no_fragmentflg, bundle_at, cnt_thru;
9869	unsigned int mtu;
9870	int error, i, one_chunk, fwd_tsn, ctl_cnt, tmr_started;
9871	struct sctp_auth_chunk *auth = NULL;
9872	uint32_t auth_offset = 0;
9873	uint16_t auth_keyid;
9874	int override_ok = 1;
9875	int data_auth_reqd = 0;
9876	uint32_t dmtu = 0;
9877
9878#if defined(__APPLE__)
9879	if (so_locked) {
9880		sctp_lock_assert(SCTP_INP_SO(inp));
9881	} else {
9882		sctp_unlock_assert(SCTP_INP_SO(inp));
9883	}
9884#endif
9885	SCTP_TCB_LOCK_ASSERT(stcb);
9886	tmr_started = ctl_cnt = bundle_at = error = 0;
9887	no_fragmentflg = 1;
9888	fwd_tsn = 0;
9889	*cnt_out = 0;
9890	fwd = NULL;
9891	endofchain = m = NULL;
9892	auth_keyid = stcb->asoc.authinfo.active_keyid;
9893#ifdef SCTP_AUDITING_ENABLED
9894	sctp_audit_log(0xC3, 1);
9895#endif
9896	if ((TAILQ_EMPTY(&asoc->sent_queue)) &&
9897	    (TAILQ_EMPTY(&asoc->control_send_queue))) {
9898		SCTPDBG(SCTP_DEBUG_OUTPUT1,"SCTP hits empty queue with cnt set to %d?\n",
9899			asoc->sent_queue_retran_cnt);
9900		asoc->sent_queue_cnt = 0;
9901		asoc->sent_queue_cnt_removeable = 0;
9902		/* send back 0/0 so we enter normal transmission */
9903		*cnt_out = 0;
9904		return (0);
9905	}
9906	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
9907		if ((chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) ||
9908		    (chk->rec.chunk_id.id == SCTP_STREAM_RESET) ||
9909		    (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN)) {
9910			if (chk->sent != SCTP_DATAGRAM_RESEND) {
9911				continue;
9912			}
9913			if (chk->rec.chunk_id.id == SCTP_STREAM_RESET) {
9914				if (chk != asoc->str_reset) {
9915					/*
9916					 * not eligible for retran if its
9917					 * not ours
9918					 */
9919					continue;
9920				}
9921			}
9922			ctl_cnt++;
9923			if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
9924				fwd_tsn = 1;
9925			}
9926			/*
9927			 * Add an AUTH chunk, if chunk requires it save the
9928			 * offset into the chain for AUTH
9929			 */
9930			if ((auth == NULL) &&
9931			    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
9932							 stcb->asoc.peer_auth_chunks))) {
9933				m = sctp_add_auth_chunk(m, &endofchain,
9934							&auth, &auth_offset,
9935							stcb,
9936							chk->rec.chunk_id.id);
9937				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9938			}
9939			m = sctp_copy_mbufchain(chk->data, m, &endofchain, 0, chk->send_size, chk->copy_by_ref);
9940			break;
9941		}
9942	}
9943	one_chunk = 0;
9944	cnt_thru = 0;
9945	/* do we have control chunks to retransmit? */
9946	if (m != NULL) {
9947		/* Start a timer no matter if we suceed or fail */
9948		if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
9949			sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, chk->whoTo);
9950		} else if (chk->rec.chunk_id.id == SCTP_ASCONF)
9951			sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, chk->whoTo);
9952		chk->snd_count++;	/* update our count */
9953		if ((error = sctp_lowlevel_chunk_output(inp, stcb, chk->whoTo,
9954		                                        (struct sockaddr *)&chk->whoTo->ro._l_addr, m,
9955		                                        auth_offset, auth, stcb->asoc.authinfo.active_keyid,
9956		                                        no_fragmentflg, 0, 0,
9957		                                        inp->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
9958		                                        chk->whoTo->port, NULL,
9959#if defined(__FreeBSD__)
9960		                                        0, 0,
9961#endif
9962		                                        so_locked))) {
9963			SCTP_STAT_INCR(sctps_lowlevelerr);
9964			return (error);
9965		}
9966		endofchain = NULL;
9967		auth = NULL;
9968		auth_offset = 0;
9969		/*
9970		 * We don't want to mark the net->sent time here since this
9971		 * we use this for HB and retrans cannot measure RTT
9972		 */
9973		/* (void)SCTP_GETTIME_TIMEVAL(&chk->whoTo->last_sent_time); */
9974		*cnt_out += 1;
9975		chk->sent = SCTP_DATAGRAM_SENT;
9976		sctp_ucount_decr(stcb->asoc.sent_queue_retran_cnt);
9977		if (fwd_tsn == 0) {
9978			return (0);
9979		} else {
9980			/* Clean up the fwd-tsn list */
9981			sctp_clean_up_ctl(stcb, asoc, so_locked);
9982			return (0);
9983		}
9984	}
9985	/*
9986	 * Ok, it is just data retransmission we need to do or that and a
9987	 * fwd-tsn with it all.
9988	 */
9989	if (TAILQ_EMPTY(&asoc->sent_queue)) {
9990		return (SCTP_RETRAN_DONE);
9991	}
9992	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) ||
9993	    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT)) {
9994		/* not yet open, resend the cookie and that is it */
9995		return (1);
9996	}
9997#ifdef SCTP_AUDITING_ENABLED
9998	sctp_auditing(20, inp, stcb, NULL);
9999#endif
10000	data_auth_reqd = sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks);
10001	TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
10002		if (chk->sent != SCTP_DATAGRAM_RESEND) {
10003			/* No, not sent to this net or not ready for rtx */
10004			continue;
10005		}
10006		if (chk->data == NULL) {
10007			SCTP_PRINTF("TSN:%x chk->snd_count:%d chk->sent:%d can't retran - no data\n",
10008			            chk->rec.data.TSN_seq, chk->snd_count, chk->sent);
10009			continue;
10010		}
10011		if ((SCTP_BASE_SYSCTL(sctp_max_retran_chunk)) &&
10012		    (chk->snd_count >= SCTP_BASE_SYSCTL(sctp_max_retran_chunk))) {
10013			/* Gak, we have exceeded max unlucky retran, abort! */
10014			SCTP_PRINTF("Gak, chk->snd_count:%d >= max:%d - send abort\n",
10015				    chk->snd_count,
10016				    SCTP_BASE_SYSCTL(sctp_max_retran_chunk));
10017			atomic_add_int(&stcb->asoc.refcnt, 1);
10018			sctp_abort_an_association(stcb->sctp_ep, stcb, NULL, so_locked);
10019			SCTP_TCB_LOCK(stcb);
10020			atomic_subtract_int(&stcb->asoc.refcnt, 1);
10021			return (SCTP_RETRAN_EXIT);
10022		}
10023		/* pick up the net */
10024		net = chk->whoTo;
10025		switch (net->ro._l_addr.sa.sa_family) {
10026#ifdef INET
10027			case AF_INET:
10028				mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
10029				break;
10030#endif
10031#ifdef INET6
10032			case AF_INET6:
10033				mtu = net->mtu - SCTP_MIN_OVERHEAD;
10034				break;
10035#endif
10036#if defined(__Userspace__)
10037			case AF_CONN:
10038				mtu = net->mtu - sizeof(struct sctphdr);
10039				break;
10040#endif
10041			default:
10042				/* TSNH */
10043				mtu = net->mtu;
10044				break;
10045		}
10046
10047		if ((asoc->peers_rwnd < mtu) && (asoc->total_flight > 0)) {
10048			/* No room in peers rwnd */
10049			uint32_t tsn;
10050
10051			tsn = asoc->last_acked_seq + 1;
10052			if (tsn == chk->rec.data.TSN_seq) {
10053				/*
10054				 * we make a special exception for this
10055				 * case. The peer has no rwnd but is missing
10056				 * the lowest chunk.. which is probably what
10057				 * is holding up the rwnd.
10058				 */
10059				goto one_chunk_around;
10060			}
10061			return (1);
10062		}
10063	one_chunk_around:
10064		if (asoc->peers_rwnd < mtu) {
10065			one_chunk = 1;
10066			if ((asoc->peers_rwnd == 0) &&
10067			    (asoc->total_flight == 0)) {
10068				chk->window_probe = 1;
10069				chk->whoTo->window_probe = 1;
10070			}
10071		}
10072#ifdef SCTP_AUDITING_ENABLED
10073		sctp_audit_log(0xC3, 2);
10074#endif
10075		bundle_at = 0;
10076		m = NULL;
10077		net->fast_retran_ip = 0;
10078		if (chk->rec.data.doing_fast_retransmit == 0) {
10079			/*
10080			 * if no FR in progress skip destination that have
10081			 * flight_size > cwnd.
10082			 */
10083			if (net->flight_size >= net->cwnd) {
10084				continue;
10085			}
10086		} else {
10087			/*
10088			 * Mark the destination net to have FR recovery
10089			 * limits put on it.
10090			 */
10091			*fr_done = 1;
10092			net->fast_retran_ip = 1;
10093		}
10094
10095		/*
10096		 * if no AUTH is yet included and this chunk requires it,
10097		 * make sure to account for it.  We don't apply the size
10098		 * until the AUTH chunk is actually added below in case
10099		 * there is no room for this chunk.
10100		 */
10101		if (data_auth_reqd && (auth == NULL)) {
10102			dmtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
10103		} else
10104			dmtu = 0;
10105
10106		if ((chk->send_size <= (mtu - dmtu)) ||
10107		    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
10108			/* ok we will add this one */
10109			if (data_auth_reqd) {
10110				if (auth == NULL) {
10111					m = sctp_add_auth_chunk(m,
10112								&endofchain,
10113								&auth,
10114								&auth_offset,
10115								stcb,
10116								SCTP_DATA);
10117					auth_keyid = chk->auth_keyid;
10118					override_ok = 0;
10119					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10120				} else if (override_ok) {
10121					auth_keyid = chk->auth_keyid;
10122					override_ok = 0;
10123				} else if (chk->auth_keyid != auth_keyid) {
10124					/* different keyid, so done bundling */
10125					break;
10126				}
10127			}
10128			m = sctp_copy_mbufchain(chk->data, m, &endofchain, 0, chk->send_size, chk->copy_by_ref);
10129			if (m == NULL) {
10130				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
10131				return (ENOMEM);
10132			}
10133			/* Do clear IP_DF ? */
10134			if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
10135				no_fragmentflg = 0;
10136			}
10137			/* upate our MTU size */
10138			if (mtu > (chk->send_size + dmtu))
10139				mtu -= (chk->send_size + dmtu);
10140			else
10141				mtu = 0;
10142			data_list[bundle_at++] = chk;
10143			if (one_chunk && (asoc->total_flight <= 0)) {
10144				SCTP_STAT_INCR(sctps_windowprobed);
10145			}
10146		}
10147		if (one_chunk == 0) {
10148			/*
10149			 * now are there anymore forward from chk to pick
10150			 * up?
10151			 */
10152			for (fwd = TAILQ_NEXT(chk, sctp_next); fwd != NULL; fwd = TAILQ_NEXT(fwd, sctp_next)) {
10153				if (fwd->sent != SCTP_DATAGRAM_RESEND) {
10154					/* Nope, not for retran */
10155					continue;
10156				}
10157				if (fwd->whoTo != net) {
10158					/* Nope, not the net in question */
10159					continue;
10160				}
10161				if (data_auth_reqd && (auth == NULL)) {
10162					dmtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
10163				} else
10164					dmtu = 0;
10165				if (fwd->send_size <= (mtu - dmtu)) {
10166					if (data_auth_reqd) {
10167						if (auth == NULL) {
10168							m = sctp_add_auth_chunk(m,
10169										&endofchain,
10170										&auth,
10171										&auth_offset,
10172										stcb,
10173										SCTP_DATA);
10174							auth_keyid = fwd->auth_keyid;
10175							override_ok = 0;
10176							SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10177						} else if (override_ok) {
10178							auth_keyid = fwd->auth_keyid;
10179							override_ok = 0;
10180						} else if (fwd->auth_keyid != auth_keyid) {
10181							/* different keyid, so done bundling */
10182							break;
10183						}
10184					}
10185					m = sctp_copy_mbufchain(fwd->data, m, &endofchain, 0, fwd->send_size, fwd->copy_by_ref);
10186					if (m == NULL) {
10187						SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
10188						return (ENOMEM);
10189					}
10190					/* Do clear IP_DF ? */
10191					if (fwd->flags & CHUNK_FLAGS_FRAGMENT_OK) {
10192						no_fragmentflg = 0;
10193					}
10194					/* upate our MTU size */
10195					if (mtu > (fwd->send_size + dmtu))
10196						mtu -= (fwd->send_size + dmtu);
10197					else
10198						mtu = 0;
10199					data_list[bundle_at++] = fwd;
10200					if (bundle_at >= SCTP_MAX_DATA_BUNDLING) {
10201						break;
10202					}
10203				} else {
10204					/* can't fit so we are done */
10205					break;
10206				}
10207			}
10208		}
10209		/* Is there something to send for this destination? */
10210		if (m) {
10211			/*
10212			 * No matter if we fail/or suceed we should start a
10213			 * timer. A failure is like a lost IP packet :-)
10214			 */
10215			if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
10216				/*
10217				 * no timer running on this destination
10218				 * restart it.
10219				 */
10220				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
10221				tmr_started = 1;
10222			}
10223			/* Now lets send it, if there is anything to send :> */
10224			if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
10225			                                        (struct sockaddr *)&net->ro._l_addr, m,
10226			                                        auth_offset, auth, auth_keyid,
10227			                                        no_fragmentflg, 0, 0,
10228			                                        inp->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
10229			                                        net->port, NULL,
10230#if defined(__FreeBSD__)
10231			                                        0, 0,
10232#endif
10233			                                        so_locked))) {
10234				/* error, we could not output */
10235				SCTP_STAT_INCR(sctps_lowlevelerr);
10236				return (error);
10237			}
10238			endofchain = NULL;
10239			auth = NULL;
10240			auth_offset = 0;
10241			/* For HB's */
10242			/*
10243			 * We don't want to mark the net->sent time here
10244			 * since this we use this for HB and retrans cannot
10245			 * measure RTT
10246			 */
10247			/* (void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time); */
10248
10249			/* For auto-close */
10250			cnt_thru++;
10251			if (*now_filled == 0) {
10252				(void)SCTP_GETTIME_TIMEVAL(&asoc->time_last_sent);
10253				*now = asoc->time_last_sent;
10254				*now_filled = 1;
10255			} else {
10256				asoc->time_last_sent = *now;
10257			}
10258			*cnt_out += bundle_at;
10259#ifdef SCTP_AUDITING_ENABLED
10260			sctp_audit_log(0xC4, bundle_at);
10261#endif
10262			if (bundle_at) {
10263				tsns_sent = data_list[0]->rec.data.TSN_seq;
10264			}
10265			for (i = 0; i < bundle_at; i++) {
10266				SCTP_STAT_INCR(sctps_sendretransdata);
10267				data_list[i]->sent = SCTP_DATAGRAM_SENT;
10268				/*
10269				 * When we have a revoked data, and we
10270				 * retransmit it, then we clear the revoked
10271				 * flag since this flag dictates if we
10272				 * subtracted from the fs
10273				 */
10274				if (data_list[i]->rec.data.chunk_was_revoked) {
10275					/* Deflate the cwnd */
10276					data_list[i]->whoTo->cwnd -= data_list[i]->book_size;
10277					data_list[i]->rec.data.chunk_was_revoked = 0;
10278				}
10279				data_list[i]->snd_count++;
10280				sctp_ucount_decr(asoc->sent_queue_retran_cnt);
10281				/* record the time */
10282				data_list[i]->sent_rcv_time = asoc->time_last_sent;
10283				if (data_list[i]->book_size_scale) {
10284					/*
10285					 * need to double the book size on
10286					 * this one
10287					 */
10288					data_list[i]->book_size_scale = 0;
10289					/* Since we double the booksize, we must
10290					 * also double the output queue size, since this
10291					 * get shrunk when we free by this amount.
10292					 */
10293					atomic_add_int(&((asoc)->total_output_queue_size),data_list[i]->book_size);
10294					data_list[i]->book_size *= 2;
10295
10296
10297				} else {
10298					if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
10299						sctp_log_rwnd(SCTP_DECREASE_PEER_RWND,
10300						      asoc->peers_rwnd, data_list[i]->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
10301					}
10302					asoc->peers_rwnd = sctp_sbspace_sub(asoc->peers_rwnd,
10303									    (uint32_t) (data_list[i]->send_size +
10304											SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)));
10305				}
10306				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
10307					sctp_misc_ints(SCTP_FLIGHT_LOG_UP_RSND,
10308						       data_list[i]->whoTo->flight_size,
10309						       data_list[i]->book_size,
10310						       (uintptr_t)data_list[i]->whoTo,
10311						       data_list[i]->rec.data.TSN_seq);
10312				}
10313				sctp_flight_size_increase(data_list[i]);
10314				sctp_total_flight_increase(stcb, data_list[i]);
10315				if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
10316					/* SWS sender side engages */
10317					asoc->peers_rwnd = 0;
10318				}
10319				if ((i == 0) &&
10320				    (data_list[i]->rec.data.doing_fast_retransmit)) {
10321					SCTP_STAT_INCR(sctps_sendfastretrans);
10322					if ((data_list[i] == TAILQ_FIRST(&asoc->sent_queue)) &&
10323					    (tmr_started == 0)) {
10324						/*-
10325						 * ok we just fast-retrans'd
10326						 * the lowest TSN, i.e the
10327						 * first on the list. In
10328						 * this case we want to give
10329						 * some more time to get a
10330						 * SACK back without a
10331						 * t3-expiring.
10332						 */
10333						sctp_timer_stop(SCTP_TIMER_TYPE_SEND, inp, stcb, net,
10334								SCTP_FROM_SCTP_OUTPUT+SCTP_LOC_4);
10335						sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
10336					}
10337				}
10338			}
10339			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10340				sctp_log_cwnd(stcb, net, tsns_sent, SCTP_CWND_LOG_FROM_RESEND);
10341			}
10342#ifdef SCTP_AUDITING_ENABLED
10343			sctp_auditing(21, inp, stcb, NULL);
10344#endif
10345		} else {
10346			/* None will fit */
10347			return (1);
10348		}
10349		if (asoc->sent_queue_retran_cnt <= 0) {
10350			/* all done we have no more to retran */
10351			asoc->sent_queue_retran_cnt = 0;
10352			break;
10353		}
10354		if (one_chunk) {
10355			/* No more room in rwnd */
10356			return (1);
10357		}
10358		/* stop the for loop here. we sent out a packet */
10359		break;
10360	}
10361	return (0);
10362}
10363
10364static void
10365sctp_timer_validation(struct sctp_inpcb *inp,
10366    struct sctp_tcb *stcb,
10367    struct sctp_association *asoc)
10368{
10369	struct sctp_nets *net;
10370
10371	/* Validate that a timer is running somewhere */
10372	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
10373		if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
10374			/* Here is a timer */
10375			return;
10376		}
10377	}
10378	SCTP_TCB_LOCK_ASSERT(stcb);
10379	/* Gak, we did not have a timer somewhere */
10380	SCTPDBG(SCTP_DEBUG_OUTPUT3, "Deadlock avoided starting timer on a dest at retran\n");
10381	if (asoc->alternate) {
10382		sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, asoc->alternate);
10383	} else {
10384		sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, asoc->primary_destination);
10385	}
10386	return;
10387}
10388
10389void
10390sctp_chunk_output (struct sctp_inpcb *inp,
10391    struct sctp_tcb *stcb,
10392    int from_where,
10393    int so_locked
10394#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
10395    SCTP_UNUSED
10396#endif
10397    )
10398{
10399	/*-
10400	 * Ok this is the generic chunk service queue. we must do the
10401	 * following:
10402	 * - See if there are retransmits pending, if so we must
10403	 *   do these first.
10404	 * - Service the stream queue that is next, moving any
10405	 *   message (note I must get a complete message i.e.
10406	 *   FIRST/MIDDLE and LAST to the out queue in one pass) and assigning
10407	 *   TSN's
10408	 * - Check to see if the cwnd/rwnd allows any output, if so we
10409	 *   go ahead and fomulate and send the low level chunks. Making sure
10410	 *   to combine any control in the control chunk queue also.
10411	 */
10412	struct sctp_association *asoc;
10413	struct sctp_nets *net;
10414	int error = 0, num_out = 0, tot_out = 0, ret = 0, reason_code = 0;
10415	unsigned int burst_cnt = 0;
10416	struct timeval now;
10417	int now_filled = 0;
10418	int nagle_on;
10419	int frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
10420	int un_sent = 0;
10421	int fr_done;
10422	unsigned int tot_frs = 0;
10423
10424#if defined(__APPLE__)
10425	if (so_locked) {
10426		sctp_lock_assert(SCTP_INP_SO(inp));
10427	} else {
10428		sctp_unlock_assert(SCTP_INP_SO(inp));
10429	}
10430#endif
10431	asoc = &stcb->asoc;
10432	/* The Nagle algorithm is only applied when handling a send call. */
10433	if (from_where == SCTP_OUTPUT_FROM_USR_SEND) {
10434		if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NODELAY)) {
10435			nagle_on = 0;
10436		} else {
10437			nagle_on = 1;
10438		}
10439	} else {
10440		nagle_on = 0;
10441	}
10442	SCTP_TCB_LOCK_ASSERT(stcb);
10443
10444	un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
10445
10446	if ((un_sent <= 0) &&
10447	    (TAILQ_EMPTY(&asoc->control_send_queue)) &&
10448	    (TAILQ_EMPTY(&asoc->asconf_send_queue)) &&
10449	    (asoc->sent_queue_retran_cnt == 0)) {
10450		/* Nothing to do unless there is something to be sent left */
10451		return;
10452	}
10453	/* Do we have something to send, data or control AND
10454	 * a sack timer running, if so piggy-back the sack.
10455	 */
10456	if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
10457		sctp_send_sack(stcb, so_locked);
10458		(void)SCTP_OS_TIMER_STOP(&stcb->asoc.dack_timer.timer);
10459	}
10460	while (asoc->sent_queue_retran_cnt) {
10461		/*-
10462		 * Ok, it is retransmission time only, we send out only ONE
10463		 * packet with a single call off to the retran code.
10464		 */
10465		if (from_where == SCTP_OUTPUT_FROM_COOKIE_ACK) {
10466			/*-
10467			 * Special hook for handling cookiess discarded
10468			 * by peer that carried data. Send cookie-ack only
10469			 * and then the next call with get the retran's.
10470			 */
10471			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1,
10472						    from_where,
10473						    &now, &now_filled, frag_point, so_locked);
10474			return;
10475		} else if (from_where != SCTP_OUTPUT_FROM_HB_TMR) {
10476			/* if its not from a HB then do it */
10477			fr_done = 0;
10478			ret = sctp_chunk_retransmission(inp, stcb, asoc, &num_out, &now, &now_filled, &fr_done, so_locked);
10479			if (fr_done) {
10480				tot_frs++;
10481			}
10482		} else {
10483			/*
10484			 * its from any other place, we don't allow retran
10485			 * output (only control)
10486			 */
10487			ret = 1;
10488		}
10489		if (ret > 0) {
10490			/* Can't send anymore */
10491			/*-
10492			 * now lets push out control by calling med-level
10493			 * output once. this assures that we WILL send HB's
10494			 * if queued too.
10495			 */
10496			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1,
10497						    from_where,
10498						    &now, &now_filled, frag_point, so_locked);
10499#ifdef SCTP_AUDITING_ENABLED
10500			sctp_auditing(8, inp, stcb, NULL);
10501#endif
10502			sctp_timer_validation(inp, stcb, asoc);
10503			return;
10504		}
10505		if (ret < 0) {
10506			/*-
10507			 * The count was off.. retran is not happening so do
10508			 * the normal retransmission.
10509			 */
10510#ifdef SCTP_AUDITING_ENABLED
10511			sctp_auditing(9, inp, stcb, NULL);
10512#endif
10513			if (ret == SCTP_RETRAN_EXIT) {
10514				return;
10515			}
10516			break;
10517		}
10518		if (from_where == SCTP_OUTPUT_FROM_T3) {
10519			/* Only one transmission allowed out of a timeout */
10520#ifdef SCTP_AUDITING_ENABLED
10521			sctp_auditing(10, inp, stcb, NULL);
10522#endif
10523			/* Push out any control */
10524			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1, from_where,
10525						    &now, &now_filled, frag_point, so_locked);
10526			return;
10527		}
10528		if ((asoc->fr_max_burst > 0) && (tot_frs >= asoc->fr_max_burst)) {
10529			/* Hit FR burst limit */
10530			return;
10531		}
10532		if ((num_out == 0) && (ret == 0)) {
10533			/* No more retrans to send */
10534			break;
10535		}
10536	}
10537#ifdef SCTP_AUDITING_ENABLED
10538	sctp_auditing(12, inp, stcb, NULL);
10539#endif
10540	/* Check for bad destinations, if they exist move chunks around. */
10541	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
10542		if (!(net->dest_state & SCTP_ADDR_REACHABLE)) {
10543			/*-
10544			 * if possible move things off of this address we
10545			 * still may send below due to the dormant state but
10546			 * we try to find an alternate address to send to
10547			 * and if we have one we move all queued data on the
10548			 * out wheel to this alternate address.
10549			 */
10550			if (net->ref_count > 1)
10551				sctp_move_chunks_from_net(stcb, net);
10552		} else {
10553			/*-
10554			 * if ((asoc->sat_network) || (net->addr_is_local))
10555			 * { burst_limit = asoc->max_burst *
10556			 * SCTP_SAT_NETWORK_BURST_INCR; }
10557			 */
10558			if (asoc->max_burst > 0) {
10559				if (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst)) {
10560					if ((net->flight_size + (asoc->max_burst * net->mtu)) < net->cwnd) {
10561						/* JRS - Use the congestion control given in the congestion control module */
10562						asoc->cc_functions.sctp_cwnd_update_after_output(stcb, net, asoc->max_burst);
10563						if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10564							sctp_log_maxburst(stcb, net, 0, asoc->max_burst, SCTP_MAX_BURST_APPLIED);
10565						}
10566						SCTP_STAT_INCR(sctps_maxburstqueued);
10567					}
10568					net->fast_retran_ip = 0;
10569				} else {
10570					if (net->flight_size == 0) {
10571						/* Should be decaying the cwnd here */
10572						;
10573					}
10574				}
10575			}
10576		}
10577
10578	}
10579	burst_cnt = 0;
10580	do {
10581		error = sctp_med_chunk_output(inp, stcb, asoc, &num_out,
10582					      &reason_code, 0, from_where,
10583					      &now, &now_filled, frag_point, so_locked);
10584		if (error) {
10585			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Error %d was returned from med-c-op\n", error);
10586			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10587				sctp_log_maxburst(stcb, asoc->primary_destination, error, burst_cnt, SCTP_MAX_BURST_ERROR_STOP);
10588			}
10589			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10590				sctp_log_cwnd(stcb, NULL, error, SCTP_SEND_NOW_COMPLETES);
10591				sctp_log_cwnd(stcb, NULL, 0xdeadbeef, SCTP_SEND_NOW_COMPLETES);
10592			}
10593			break;
10594		}
10595		SCTPDBG(SCTP_DEBUG_OUTPUT3, "m-c-o put out %d\n", num_out);
10596
10597		tot_out += num_out;
10598		burst_cnt++;
10599		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10600			sctp_log_cwnd(stcb, NULL, num_out, SCTP_SEND_NOW_COMPLETES);
10601			if (num_out == 0) {
10602				sctp_log_cwnd(stcb, NULL, reason_code, SCTP_SEND_NOW_COMPLETES);
10603			}
10604		}
10605		if (nagle_on) {
10606			/*
10607			 * When the Nagle algorithm is used, look at how much
10608			 * is unsent, then if its smaller than an MTU and we
10609			 * have data in flight we stop, except if we are
10610			 * handling a fragmented user message.
10611			 */
10612			un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
10613			           (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
10614			if ((un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD)) &&
10615			    (stcb->asoc.total_flight > 0) &&
10616			    ((stcb->asoc.locked_on_sending == NULL) ||
10617			     sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR))) {
10618				break;
10619			}
10620		}
10621		if (TAILQ_EMPTY(&asoc->control_send_queue) &&
10622		    TAILQ_EMPTY(&asoc->send_queue) &&
10623		    stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
10624			/* Nothing left to send */
10625			break;
10626		}
10627		if ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) <= 0) {
10628			/* Nothing left to send */
10629			break;
10630		}
10631	} while (num_out &&
10632	         ((asoc->max_burst == 0) ||
10633		  SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst) ||
10634		  (burst_cnt < asoc->max_burst)));
10635
10636	if (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst) == 0) {
10637		if ((asoc->max_burst > 0) && (burst_cnt >= asoc->max_burst)) {
10638			SCTP_STAT_INCR(sctps_maxburstqueued);
10639			asoc->burst_limit_applied = 1;
10640			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10641				sctp_log_maxburst(stcb, asoc->primary_destination, 0, burst_cnt, SCTP_MAX_BURST_APPLIED);
10642			}
10643		} else {
10644			asoc->burst_limit_applied = 0;
10645		}
10646	}
10647	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10648		sctp_log_cwnd(stcb, NULL, tot_out, SCTP_SEND_NOW_COMPLETES);
10649	}
10650	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, we have put out %d chunks\n",
10651		tot_out);
10652
10653	/*-
10654	 * Now we need to clean up the control chunk chain if a ECNE is on
10655	 * it. It must be marked as UNSENT again so next call will continue
10656	 * to send it until such time that we get a CWR, to remove it.
10657	 */
10658	if (stcb->asoc.ecn_echo_cnt_onq)
10659		sctp_fix_ecn_echo(asoc);
10660	return;
10661}
10662
10663
10664int
10665sctp_output(
10666	struct sctp_inpcb *inp,
10667#if defined(__Panda__)
10668	pakhandle_type m,
10669#else
10670	struct mbuf *m,
10671#endif
10672	struct sockaddr *addr,
10673#if defined(__Panda__)
10674	pakhandle_type control,
10675#else
10676	struct mbuf *control,
10677#endif
10678#if defined(__FreeBSD__) && __FreeBSD_version >= 500000
10679	struct thread *p,
10680#elif defined(__Windows__)
10681	PKTHREAD p,
10682#else
10683#if defined(__APPLE__)
10684	struct proc *p SCTP_UNUSED,
10685#else
10686	struct proc *p,
10687#endif
10688#endif
10689	int flags)
10690{
10691	if (inp == NULL) {
10692		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
10693		return (EINVAL);
10694	}
10695
10696	if (inp->sctp_socket == NULL) {
10697		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
10698		return (EINVAL);
10699	}
10700	return (sctp_sosend(inp->sctp_socket,
10701			    addr,
10702			    (struct uio *)NULL,
10703			    m,
10704			    control,
10705#if defined(__APPLE__) || defined(__Panda__)
10706			    flags
10707#else
10708			    flags, p
10709#endif
10710			));
10711}
10712
10713void
10714send_forward_tsn(struct sctp_tcb *stcb,
10715		 struct sctp_association *asoc)
10716{
10717        struct sctp_tmit_chunk *chk;
10718	struct sctp_forward_tsn_chunk *fwdtsn;
10719	uint32_t advance_peer_ack_point;
10720
10721        SCTP_TCB_LOCK_ASSERT(stcb);
10722	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
10723		if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
10724			/* mark it to unsent */
10725			chk->sent = SCTP_DATAGRAM_UNSENT;
10726			chk->snd_count = 0;
10727			/* Do we correct its output location? */
10728			if (chk->whoTo) {
10729				sctp_free_remote_addr(chk->whoTo);
10730				chk->whoTo = NULL;
10731			}
10732			goto sctp_fill_in_rest;
10733		}
10734	}
10735	/* Ok if we reach here we must build one */
10736	sctp_alloc_a_chunk(stcb, chk);
10737	if (chk == NULL) {
10738		return;
10739	}
10740	asoc->fwd_tsn_cnt++;
10741	chk->copy_by_ref = 0;
10742	chk->rec.chunk_id.id = SCTP_FORWARD_CUM_TSN;
10743	chk->rec.chunk_id.can_take_data = 0;
10744	chk->asoc = asoc;
10745	chk->whoTo = NULL;
10746	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
10747	if (chk->data == NULL) {
10748		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
10749		return;
10750	}
10751	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
10752	chk->sent = SCTP_DATAGRAM_UNSENT;
10753	chk->snd_count = 0;
10754	TAILQ_INSERT_TAIL(&asoc->control_send_queue, chk, sctp_next);
10755	asoc->ctrl_queue_cnt++;
10756sctp_fill_in_rest:
10757	/*-
10758	 * Here we go through and fill out the part that deals with
10759	 * stream/seq of the ones we skip.
10760	 */
10761	SCTP_BUF_LEN(chk->data) = 0;
10762	{
10763		struct sctp_tmit_chunk *at, *tp1, *last;
10764		struct sctp_strseq *strseq;
10765		unsigned int cnt_of_space, i, ovh;
10766		unsigned int space_needed;
10767		unsigned int cnt_of_skipped = 0;
10768
10769		TAILQ_FOREACH(at, &asoc->sent_queue, sctp_next) {
10770			if ((at->sent != SCTP_FORWARD_TSN_SKIP) &&
10771			    (at->sent != SCTP_DATAGRAM_NR_ACKED)) {
10772				/* no more to look at */
10773				break;
10774			}
10775			if (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED) {
10776				/* We don't report these */
10777				continue;
10778			}
10779			cnt_of_skipped++;
10780		}
10781		space_needed = (sizeof(struct sctp_forward_tsn_chunk) +
10782		    (cnt_of_skipped * sizeof(struct sctp_strseq)));
10783
10784		cnt_of_space = M_TRAILINGSPACE(chk->data);
10785
10786		if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
10787			ovh = SCTP_MIN_OVERHEAD;
10788		} else {
10789			ovh = SCTP_MIN_V4_OVERHEAD;
10790		}
10791		if (cnt_of_space > (asoc->smallest_mtu - ovh)) {
10792			/* trim to a mtu size */
10793			cnt_of_space = asoc->smallest_mtu - ovh;
10794		}
10795		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10796			sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10797				       0xff, 0, cnt_of_skipped,
10798				       asoc->advanced_peer_ack_point);
10799
10800		}
10801		advance_peer_ack_point = asoc->advanced_peer_ack_point;
10802		if (cnt_of_space < space_needed) {
10803			/*-
10804			 * ok we must trim down the chunk by lowering the
10805			 * advance peer ack point.
10806			 */
10807			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10808				sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10809					       0xff, 0xff, cnt_of_space,
10810					       space_needed);
10811			}
10812			cnt_of_skipped = cnt_of_space - sizeof(struct sctp_forward_tsn_chunk);
10813			cnt_of_skipped /= sizeof(struct sctp_strseq);
10814			/*-
10815			 * Go through and find the TSN that will be the one
10816			 * we report.
10817			 */
10818			at = TAILQ_FIRST(&asoc->sent_queue);
10819			if (at != NULL) {
10820				for (i = 0; i < cnt_of_skipped; i++) {
10821					tp1 = TAILQ_NEXT(at, sctp_next);
10822					if (tp1 == NULL) {
10823						break;
10824					}
10825					at = tp1;
10826				}
10827			}
10828			if (at && SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10829				sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10830					       0xff, cnt_of_skipped, at->rec.data.TSN_seq,
10831					       asoc->advanced_peer_ack_point);
10832			}
10833			last = at;
10834			/*-
10835			 * last now points to last one I can report, update
10836			 * peer ack point
10837			 */
10838			if (last)
10839				advance_peer_ack_point = last->rec.data.TSN_seq;
10840			space_needed = sizeof(struct sctp_forward_tsn_chunk) +
10841			               cnt_of_skipped * sizeof(struct sctp_strseq);
10842		}
10843		chk->send_size = space_needed;
10844		/* Setup the chunk */
10845		fwdtsn = mtod(chk->data, struct sctp_forward_tsn_chunk *);
10846		fwdtsn->ch.chunk_length = htons(chk->send_size);
10847		fwdtsn->ch.chunk_flags = 0;
10848		fwdtsn->ch.chunk_type = SCTP_FORWARD_CUM_TSN;
10849		fwdtsn->new_cumulative_tsn = htonl(advance_peer_ack_point);
10850		SCTP_BUF_LEN(chk->data) = chk->send_size;
10851		fwdtsn++;
10852		/*-
10853		 * Move pointer to after the fwdtsn and transfer to the
10854		 * strseq pointer.
10855		 */
10856		strseq = (struct sctp_strseq *)fwdtsn;
10857		/*-
10858		 * Now populate the strseq list. This is done blindly
10859		 * without pulling out duplicate stream info. This is
10860		 * inefficent but won't harm the process since the peer will
10861		 * look at these in sequence and will thus release anything.
10862		 * It could mean we exceed the PMTU and chop off some that
10863		 * we could have included.. but this is unlikely (aka 1432/4
10864		 * would mean 300+ stream seq's would have to be reported in
10865		 * one FWD-TSN. With a bit of work we can later FIX this to
10866		 * optimize and pull out duplcates.. but it does add more
10867		 * overhead. So for now... not!
10868		 */
10869		at = TAILQ_FIRST(&asoc->sent_queue);
10870		for (i = 0; i < cnt_of_skipped; i++) {
10871			tp1 = TAILQ_NEXT(at, sctp_next);
10872			if (tp1 == NULL)
10873				break;
10874			if (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED) {
10875				/* We don't report these */
10876				i--;
10877				at = tp1;
10878				continue;
10879			}
10880			if (at->rec.data.TSN_seq == advance_peer_ack_point) {
10881				at->rec.data.fwd_tsn_cnt = 0;
10882			}
10883			strseq->stream = ntohs(at->rec.data.stream_number);
10884			strseq->sequence = ntohs(at->rec.data.stream_seq);
10885			strseq++;
10886			at = tp1;
10887		}
10888	}
10889	return;
10890}
10891
10892void
10893sctp_send_sack(struct sctp_tcb *stcb, int so_locked
10894#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
10895	SCTP_UNUSED
10896#endif
10897)
10898{
10899	/*-
10900	 * Queue up a SACK or NR-SACK in the control queue.
10901	 * We must first check to see if a SACK or NR-SACK is
10902	 * somehow on the control queue.
10903	 * If so, we will take and and remove the old one.
10904	 */
10905	struct sctp_association *asoc;
10906	struct sctp_tmit_chunk *chk, *a_chk;
10907	struct sctp_sack_chunk *sack;
10908	struct sctp_nr_sack_chunk *nr_sack;
10909	struct sctp_gap_ack_block *gap_descriptor;
10910	struct sack_track *selector;
10911	int mergeable = 0;
10912	int offset;
10913	caddr_t limit;
10914	uint32_t *dup;
10915	int limit_reached = 0;
10916	unsigned int i, siz, j;
10917	unsigned int num_gap_blocks = 0, num_nr_gap_blocks = 0, space;
10918	int num_dups = 0;
10919	int space_req;
10920	uint32_t highest_tsn;
10921	uint8_t flags;
10922	uint8_t type;
10923	uint8_t tsn_map;
10924
10925	if (stcb->asoc.nrsack_supported == 1) {
10926		type = SCTP_NR_SELECTIVE_ACK;
10927	} else {
10928		type = SCTP_SELECTIVE_ACK;
10929	}
10930	a_chk = NULL;
10931	asoc = &stcb->asoc;
10932	SCTP_TCB_LOCK_ASSERT(stcb);
10933	if (asoc->last_data_chunk_from == NULL) {
10934		/* Hmm we never received anything */
10935		return;
10936	}
10937	sctp_slide_mapping_arrays(stcb);
10938	sctp_set_rwnd(stcb, asoc);
10939	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
10940		if (chk->rec.chunk_id.id == type) {
10941			/* Hmm, found a sack already on queue, remove it */
10942			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
10943			asoc->ctrl_queue_cnt--;
10944			a_chk = chk;
10945			if (a_chk->data) {
10946				sctp_m_freem(a_chk->data);
10947				a_chk->data = NULL;
10948			}
10949			if (a_chk->whoTo) {
10950				sctp_free_remote_addr(a_chk->whoTo);
10951				a_chk->whoTo = NULL;
10952			}
10953			break;
10954		}
10955	}
10956	if (a_chk == NULL) {
10957		sctp_alloc_a_chunk(stcb, a_chk);
10958		if (a_chk == NULL) {
10959			/* No memory so we drop the idea, and set a timer */
10960			if (stcb->asoc.delayed_ack) {
10961				sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
10962				    stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_5);
10963				sctp_timer_start(SCTP_TIMER_TYPE_RECV,
10964				    stcb->sctp_ep, stcb, NULL);
10965			} else {
10966				stcb->asoc.send_sack = 1;
10967			}
10968			return;
10969		}
10970		a_chk->copy_by_ref = 0;
10971		a_chk->rec.chunk_id.id = type;
10972		a_chk->rec.chunk_id.can_take_data = 1;
10973	}
10974	/* Clear our pkt counts */
10975	asoc->data_pkts_seen = 0;
10976
10977	a_chk->asoc = asoc;
10978	a_chk->snd_count = 0;
10979	a_chk->send_size = 0;	/* fill in later */
10980	a_chk->sent = SCTP_DATAGRAM_UNSENT;
10981	a_chk->whoTo = NULL;
10982
10983	if ((asoc->numduptsns) ||
10984	    (!(asoc->last_data_chunk_from->dest_state & SCTP_ADDR_REACHABLE))) {
10985		/*-
10986		 * Ok, we have some duplicates or the destination for the
10987		 * sack is unreachable, lets see if we can select an
10988		 * alternate than asoc->last_data_chunk_from
10989		 */
10990		if ((asoc->last_data_chunk_from->dest_state & SCTP_ADDR_REACHABLE) &&
10991		    (asoc->used_alt_onsack > asoc->numnets)) {
10992			/* We used an alt last time, don't this time */
10993			a_chk->whoTo = NULL;
10994		} else {
10995			asoc->used_alt_onsack++;
10996			a_chk->whoTo = sctp_find_alternate_net(stcb, asoc->last_data_chunk_from, 0);
10997		}
10998		if (a_chk->whoTo == NULL) {
10999			/* Nope, no alternate */
11000			a_chk->whoTo = asoc->last_data_chunk_from;
11001			asoc->used_alt_onsack = 0;
11002		}
11003	} else {
11004		/*
11005		 * No duplicates so we use the last place we received data
11006		 * from.
11007		 */
11008		asoc->used_alt_onsack = 0;
11009		a_chk->whoTo = asoc->last_data_chunk_from;
11010	}
11011	if (a_chk->whoTo) {
11012		atomic_add_int(&a_chk->whoTo->ref_count, 1);
11013	}
11014	if (SCTP_TSN_GT(asoc->highest_tsn_inside_map, asoc->highest_tsn_inside_nr_map)) {
11015		highest_tsn = asoc->highest_tsn_inside_map;
11016	} else {
11017		highest_tsn = asoc->highest_tsn_inside_nr_map;
11018	}
11019	if (highest_tsn == asoc->cumulative_tsn) {
11020		/* no gaps */
11021		if (type == SCTP_SELECTIVE_ACK) {
11022			space_req = sizeof(struct sctp_sack_chunk);
11023		} else {
11024			space_req = sizeof(struct sctp_nr_sack_chunk);
11025		}
11026	} else {
11027		/* gaps get a cluster */
11028		space_req = MCLBYTES;
11029	}
11030	/* Ok now lets formulate a MBUF with our sack */
11031	a_chk->data = sctp_get_mbuf_for_msg(space_req, 0, M_NOWAIT, 1, MT_DATA);
11032	if ((a_chk->data == NULL) ||
11033	    (a_chk->whoTo == NULL)) {
11034		/* rats, no mbuf memory */
11035		if (a_chk->data) {
11036			/* was a problem with the destination */
11037			sctp_m_freem(a_chk->data);
11038			a_chk->data = NULL;
11039		}
11040		sctp_free_a_chunk(stcb, a_chk, so_locked);
11041		/* sa_ignore NO_NULL_CHK */
11042		if (stcb->asoc.delayed_ack) {
11043			sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
11044			    stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_6);
11045			sctp_timer_start(SCTP_TIMER_TYPE_RECV,
11046			    stcb->sctp_ep, stcb, NULL);
11047		} else {
11048			stcb->asoc.send_sack = 1;
11049		}
11050		return;
11051	}
11052	/* ok, lets go through and fill it in */
11053	SCTP_BUF_RESV_UF(a_chk->data, SCTP_MIN_OVERHEAD);
11054	space = M_TRAILINGSPACE(a_chk->data);
11055	if (space > (a_chk->whoTo->mtu - SCTP_MIN_OVERHEAD)) {
11056		space = (a_chk->whoTo->mtu - SCTP_MIN_OVERHEAD);
11057	}
11058	limit = mtod(a_chk->data, caddr_t);
11059	limit += space;
11060
11061	flags = 0;
11062
11063	if ((asoc->sctp_cmt_on_off > 0) &&
11064	    SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
11065		/*-
11066		 * CMT DAC algorithm: If 2 (i.e., 0x10) packets have been
11067		 * received, then set high bit to 1, else 0. Reset
11068		 * pkts_rcvd.
11069		 */
11070		flags |= (asoc->cmt_dac_pkts_rcvd << 6);
11071		asoc->cmt_dac_pkts_rcvd = 0;
11072	}
11073#ifdef SCTP_ASOCLOG_OF_TSNS
11074	stcb->asoc.cumack_logsnt[stcb->asoc.cumack_log_atsnt] = asoc->cumulative_tsn;
11075	stcb->asoc.cumack_log_atsnt++;
11076	if (stcb->asoc.cumack_log_atsnt >= SCTP_TSN_LOG_SIZE) {
11077		stcb->asoc.cumack_log_atsnt = 0;
11078	}
11079#endif
11080	/* reset the readers interpretation */
11081	stcb->freed_by_sorcv_sincelast = 0;
11082
11083	if (type == SCTP_SELECTIVE_ACK) {
11084		sack = mtod(a_chk->data, struct sctp_sack_chunk *);
11085		nr_sack = NULL;
11086		gap_descriptor = (struct sctp_gap_ack_block *)((caddr_t)sack + sizeof(struct sctp_sack_chunk));
11087		if (highest_tsn > asoc->mapping_array_base_tsn) {
11088			siz = (((highest_tsn - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
11089		} else {
11090			siz = (((MAX_TSN - highest_tsn) + 1) + highest_tsn + 7) / 8;
11091		}
11092	} else {
11093		sack = NULL;
11094		nr_sack = mtod(a_chk->data, struct sctp_nr_sack_chunk *);
11095		gap_descriptor = (struct sctp_gap_ack_block *)((caddr_t)nr_sack + sizeof(struct sctp_nr_sack_chunk));
11096		if (asoc->highest_tsn_inside_map > asoc->mapping_array_base_tsn) {
11097			siz = (((asoc->highest_tsn_inside_map - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
11098		} else {
11099			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + asoc->highest_tsn_inside_map + 7) / 8;
11100		}
11101	}
11102
11103	if (SCTP_TSN_GT(asoc->mapping_array_base_tsn, asoc->cumulative_tsn)) {
11104		offset = 1;
11105	} else {
11106		offset = asoc->mapping_array_base_tsn - asoc->cumulative_tsn;
11107	}
11108	if (((type == SCTP_SELECTIVE_ACK) &&
11109	     SCTP_TSN_GT(highest_tsn, asoc->cumulative_tsn)) ||
11110	    ((type == SCTP_NR_SELECTIVE_ACK) &&
11111	     SCTP_TSN_GT(asoc->highest_tsn_inside_map, asoc->cumulative_tsn))) {
11112		/* we have a gap .. maybe */
11113		for (i = 0; i < siz; i++) {
11114			tsn_map = asoc->mapping_array[i];
11115			if (type == SCTP_SELECTIVE_ACK) {
11116				tsn_map |= asoc->nr_mapping_array[i];
11117			}
11118			if (i == 0) {
11119				/*
11120				 * Clear all bits corresponding to TSNs
11121				 * smaller or equal to the cumulative TSN.
11122				 */
11123				tsn_map &= (~0 << (1 - offset));
11124			}
11125			selector = &sack_array[tsn_map];
11126			if (mergeable && selector->right_edge) {
11127				/*
11128				 * Backup, left and right edges were ok to
11129				 * merge.
11130				 */
11131				num_gap_blocks--;
11132				gap_descriptor--;
11133			}
11134			if (selector->num_entries == 0)
11135				mergeable = 0;
11136			else {
11137				for (j = 0; j < selector->num_entries; j++) {
11138					if (mergeable && selector->right_edge) {
11139						/*
11140						 * do a merge by NOT setting
11141						 * the left side
11142						 */
11143						mergeable = 0;
11144					} else {
11145						/*
11146						 * no merge, set the left
11147						 * side
11148						 */
11149						mergeable = 0;
11150						gap_descriptor->start = htons((selector->gaps[j].start + offset));
11151					}
11152					gap_descriptor->end = htons((selector->gaps[j].end + offset));
11153					num_gap_blocks++;
11154					gap_descriptor++;
11155					if (((caddr_t)gap_descriptor + sizeof(struct sctp_gap_ack_block)) > limit) {
11156						/* no more room */
11157						limit_reached = 1;
11158						break;
11159					}
11160				}
11161				if (selector->left_edge) {
11162					mergeable = 1;
11163				}
11164			}
11165			if (limit_reached) {
11166				/* Reached the limit stop */
11167				break;
11168			}
11169			offset += 8;
11170		}
11171	}
11172	if ((type == SCTP_NR_SELECTIVE_ACK) &&
11173	    (limit_reached == 0)) {
11174
11175		mergeable = 0;
11176
11177		if (asoc->highest_tsn_inside_nr_map > asoc->mapping_array_base_tsn) {
11178			siz = (((asoc->highest_tsn_inside_nr_map - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
11179		} else {
11180			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + asoc->highest_tsn_inside_nr_map + 7) / 8;
11181		}
11182
11183		if (SCTP_TSN_GT(asoc->mapping_array_base_tsn, asoc->cumulative_tsn)) {
11184			offset = 1;
11185		} else {
11186			offset = asoc->mapping_array_base_tsn - asoc->cumulative_tsn;
11187		}
11188		if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->cumulative_tsn)) {
11189			/* we have a gap .. maybe */
11190			for (i = 0; i < siz; i++) {
11191				tsn_map = asoc->nr_mapping_array[i];
11192				if (i == 0) {
11193					/*
11194					 * Clear all bits corresponding to TSNs
11195					 * smaller or equal to the cumulative TSN.
11196					 */
11197					tsn_map &= (~0 << (1 - offset));
11198				}
11199				selector = &sack_array[tsn_map];
11200				if (mergeable && selector->right_edge) {
11201					/*
11202					* Backup, left and right edges were ok to
11203					* merge.
11204					*/
11205					num_nr_gap_blocks--;
11206					gap_descriptor--;
11207				}
11208				if (selector->num_entries == 0)
11209					mergeable = 0;
11210				else {
11211					for (j = 0; j < selector->num_entries; j++) {
11212						if (mergeable && selector->right_edge) {
11213							/*
11214							* do a merge by NOT setting
11215							* the left side
11216							*/
11217							mergeable = 0;
11218						} else {
11219							/*
11220							* no merge, set the left
11221							* side
11222							*/
11223							mergeable = 0;
11224							gap_descriptor->start = htons((selector->gaps[j].start + offset));
11225						}
11226						gap_descriptor->end = htons((selector->gaps[j].end + offset));
11227						num_nr_gap_blocks++;
11228						gap_descriptor++;
11229						if (((caddr_t)gap_descriptor + sizeof(struct sctp_gap_ack_block)) > limit) {
11230							/* no more room */
11231							limit_reached = 1;
11232							break;
11233						}
11234					}
11235					if (selector->left_edge) {
11236						mergeable = 1;
11237					}
11238				}
11239				if (limit_reached) {
11240					/* Reached the limit stop */
11241					break;
11242				}
11243				offset += 8;
11244			}
11245		}
11246	}
11247	/* now we must add any dups we are going to report. */
11248	if ((limit_reached == 0) && (asoc->numduptsns)) {
11249		dup = (uint32_t *) gap_descriptor;
11250		for (i = 0; i < asoc->numduptsns; i++) {
11251			*dup = htonl(asoc->dup_tsns[i]);
11252			dup++;
11253			num_dups++;
11254			if (((caddr_t)dup + sizeof(uint32_t)) > limit) {
11255				/* no more room */
11256				break;
11257			}
11258		}
11259		asoc->numduptsns = 0;
11260	}
11261	/*
11262	 * now that the chunk is prepared queue it to the control chunk
11263	 * queue.
11264	 */
11265	if (type == SCTP_SELECTIVE_ACK) {
11266		a_chk->send_size = sizeof(struct sctp_sack_chunk) +
11267		                   (num_gap_blocks + num_nr_gap_blocks) * sizeof(struct sctp_gap_ack_block) +
11268		                   num_dups * sizeof(int32_t);
11269		SCTP_BUF_LEN(a_chk->data) = a_chk->send_size;
11270		sack->sack.cum_tsn_ack = htonl(asoc->cumulative_tsn);
11271		sack->sack.a_rwnd = htonl(asoc->my_rwnd);
11272		sack->sack.num_gap_ack_blks = htons(num_gap_blocks);
11273		sack->sack.num_dup_tsns = htons(num_dups);
11274		sack->ch.chunk_type = type;
11275		sack->ch.chunk_flags = flags;
11276		sack->ch.chunk_length = htons(a_chk->send_size);
11277	} else {
11278		a_chk->send_size = sizeof(struct sctp_nr_sack_chunk) +
11279		                   (num_gap_blocks + num_nr_gap_blocks) * sizeof(struct sctp_gap_ack_block) +
11280		                   num_dups * sizeof(int32_t);
11281		SCTP_BUF_LEN(a_chk->data) = a_chk->send_size;
11282		nr_sack->nr_sack.cum_tsn_ack = htonl(asoc->cumulative_tsn);
11283		nr_sack->nr_sack.a_rwnd = htonl(asoc->my_rwnd);
11284		nr_sack->nr_sack.num_gap_ack_blks = htons(num_gap_blocks);
11285		nr_sack->nr_sack.num_nr_gap_ack_blks = htons(num_nr_gap_blocks);
11286		nr_sack->nr_sack.num_dup_tsns = htons(num_dups);
11287		nr_sack->nr_sack.reserved = 0;
11288		nr_sack->ch.chunk_type = type;
11289		nr_sack->ch.chunk_flags = flags;
11290		nr_sack->ch.chunk_length = htons(a_chk->send_size);
11291	}
11292	TAILQ_INSERT_TAIL(&asoc->control_send_queue, a_chk, sctp_next);
11293	asoc->my_last_reported_rwnd = asoc->my_rwnd;
11294	asoc->ctrl_queue_cnt++;
11295	asoc->send_sack = 0;
11296	SCTP_STAT_INCR(sctps_sendsacks);
11297	return;
11298}
11299
11300void
11301sctp_send_abort_tcb(struct sctp_tcb *stcb, struct mbuf *operr, int so_locked
11302#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
11303    SCTP_UNUSED
11304#endif
11305    )
11306{
11307	struct mbuf *m_abort, *m, *m_last;
11308	struct mbuf *m_out, *m_end = NULL;
11309	struct sctp_abort_chunk *abort;
11310	struct sctp_auth_chunk *auth = NULL;
11311	struct sctp_nets *net;
11312	uint32_t vtag;
11313	uint32_t auth_offset = 0;
11314	uint16_t cause_len, chunk_len, padding_len;
11315
11316#if defined(__APPLE__)
11317	if (so_locked) {
11318		sctp_lock_assert(SCTP_INP_SO(stcb->sctp_ep));
11319	} else {
11320		sctp_unlock_assert(SCTP_INP_SO(stcb->sctp_ep));
11321	}
11322#endif
11323	SCTP_TCB_LOCK_ASSERT(stcb);
11324	/*-
11325	 * Add an AUTH chunk, if chunk requires it and save the offset into
11326	 * the chain for AUTH
11327	 */
11328	if (sctp_auth_is_required_chunk(SCTP_ABORT_ASSOCIATION,
11329	                                stcb->asoc.peer_auth_chunks)) {
11330		m_out = sctp_add_auth_chunk(NULL, &m_end, &auth, &auth_offset,
11331					    stcb, SCTP_ABORT_ASSOCIATION);
11332		SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11333	} else {
11334		m_out = NULL;
11335	}
11336	m_abort = sctp_get_mbuf_for_msg(sizeof(struct sctp_abort_chunk), 0, M_NOWAIT, 1, MT_HEADER);
11337	if (m_abort == NULL) {
11338		if (m_out) {
11339			sctp_m_freem(m_out);
11340		}
11341		if (operr) {
11342			sctp_m_freem(operr);
11343		}
11344		return;
11345	}
11346	/* link in any error */
11347	SCTP_BUF_NEXT(m_abort) = operr;
11348	cause_len = 0;
11349	m_last = NULL;
11350	for (m = operr; m; m = SCTP_BUF_NEXT(m)) {
11351		cause_len += (uint16_t)SCTP_BUF_LEN(m);
11352		if (SCTP_BUF_NEXT(m) == NULL) {
11353			m_last = m;
11354		}
11355	}
11356	SCTP_BUF_LEN(m_abort) = sizeof(struct sctp_abort_chunk);
11357	chunk_len = (uint16_t)sizeof(struct sctp_abort_chunk) + cause_len;
11358	padding_len = SCTP_SIZE32(chunk_len) - chunk_len;
11359	if (m_out == NULL) {
11360		/* NO Auth chunk prepended, so reserve space in front */
11361		SCTP_BUF_RESV_UF(m_abort, SCTP_MIN_OVERHEAD);
11362		m_out = m_abort;
11363	} else {
11364		/* Put AUTH chunk at the front of the chain */
11365		SCTP_BUF_NEXT(m_end) = m_abort;
11366	}
11367	if (stcb->asoc.alternate) {
11368		net = stcb->asoc.alternate;
11369	} else {
11370		net = stcb->asoc.primary_destination;
11371	}
11372	/* Fill in the ABORT chunk header. */
11373	abort = mtod(m_abort, struct sctp_abort_chunk *);
11374	abort->ch.chunk_type = SCTP_ABORT_ASSOCIATION;
11375	if (stcb->asoc.peer_vtag == 0) {
11376		/* This happens iff the assoc is in COOKIE-WAIT state. */
11377		vtag = stcb->asoc.my_vtag;
11378		abort->ch.chunk_flags = SCTP_HAD_NO_TCB;
11379	} else {
11380		vtag = stcb->asoc.peer_vtag;
11381		abort->ch.chunk_flags = 0;
11382	}
11383	abort->ch.chunk_length = htons(chunk_len);
11384	/* Add padding, if necessary. */
11385	if (padding_len > 0) {
11386		if ((m_last == NULL) ||
11387		    (sctp_add_pad_tombuf(m_last, padding_len) == NULL)) {
11388			sctp_m_freem(m_out);
11389			return;
11390		}
11391	}
11392	(void)sctp_lowlevel_chunk_output(stcb->sctp_ep, stcb, net,
11393	                                 (struct sockaddr *)&net->ro._l_addr,
11394	                                 m_out, auth_offset, auth, stcb->asoc.authinfo.active_keyid, 1, 0, 0,
11395	                                 stcb->sctp_ep->sctp_lport, stcb->rport, htonl(vtag),
11396	                                 stcb->asoc.primary_destination->port, NULL,
11397#if defined(__FreeBSD__)
11398	                                 0, 0,
11399#endif
11400	                                 so_locked);
11401	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11402}
11403
11404void
11405sctp_send_shutdown_complete(struct sctp_tcb *stcb,
11406                            struct sctp_nets *net,
11407                            int reflect_vtag)
11408{
11409	/* formulate and SEND a SHUTDOWN-COMPLETE */
11410	struct mbuf *m_shutdown_comp;
11411	struct sctp_shutdown_complete_chunk *shutdown_complete;
11412	uint32_t vtag;
11413	uint8_t flags;
11414
11415	m_shutdown_comp = sctp_get_mbuf_for_msg(sizeof(struct sctp_chunkhdr), 0, M_NOWAIT, 1, MT_HEADER);
11416	if (m_shutdown_comp == NULL) {
11417		/* no mbuf's */
11418		return;
11419	}
11420	if (reflect_vtag) {
11421		flags = SCTP_HAD_NO_TCB;
11422		vtag = stcb->asoc.my_vtag;
11423	} else {
11424		flags = 0;
11425		vtag = stcb->asoc.peer_vtag;
11426	}
11427	shutdown_complete = mtod(m_shutdown_comp, struct sctp_shutdown_complete_chunk *);
11428	shutdown_complete->ch.chunk_type = SCTP_SHUTDOWN_COMPLETE;
11429	shutdown_complete->ch.chunk_flags = flags;
11430	shutdown_complete->ch.chunk_length = htons(sizeof(struct sctp_shutdown_complete_chunk));
11431	SCTP_BUF_LEN(m_shutdown_comp) = sizeof(struct sctp_shutdown_complete_chunk);
11432	(void)sctp_lowlevel_chunk_output(stcb->sctp_ep, stcb, net,
11433	                                 (struct sockaddr *)&net->ro._l_addr,
11434	                                 m_shutdown_comp, 0, NULL, 0, 1, 0, 0,
11435	                                 stcb->sctp_ep->sctp_lport, stcb->rport,
11436	                                 htonl(vtag),
11437	                                 net->port, NULL,
11438#if defined(__FreeBSD__)
11439	                                 0, 0,
11440#endif
11441	                                 SCTP_SO_NOT_LOCKED);
11442	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11443	return;
11444}
11445
11446#if defined(__FreeBSD__)
11447static void
11448sctp_send_resp_msg(struct sockaddr *src, struct sockaddr *dst,
11449                   struct sctphdr *sh, uint32_t vtag,
11450                   uint8_t type, struct mbuf *cause,
11451                   uint8_t use_mflowid, uint32_t mflowid,
11452                   uint32_t vrf_id, uint16_t port)
11453#else
11454static void
11455sctp_send_resp_msg(struct sockaddr *src, struct sockaddr *dst,
11456                   struct sctphdr *sh, uint32_t vtag,
11457                   uint8_t type, struct mbuf *cause,
11458                   uint32_t vrf_id SCTP_UNUSED, uint16_t port)
11459#endif
11460{
11461#ifdef __Panda__
11462	pakhandle_type o_pak;
11463#else
11464	struct mbuf *o_pak;
11465#endif
11466	struct mbuf *mout;
11467	struct sctphdr *shout;
11468	struct sctp_chunkhdr *ch;
11469#if defined(INET) || defined(INET6)
11470	struct udphdr *udp;
11471	int ret;
11472#endif
11473	int len, cause_len, padding_len;
11474#ifdef INET
11475#if defined(__APPLE__) || defined(__Panda__)
11476	sctp_route_t ro;
11477#endif
11478	struct sockaddr_in *src_sin, *dst_sin;
11479	struct ip *ip;
11480#endif
11481#ifdef INET6
11482	struct sockaddr_in6 *src_sin6, *dst_sin6;
11483	struct ip6_hdr *ip6;
11484#endif
11485
11486	/* Compute the length of the cause and add final padding. */
11487	cause_len = 0;
11488	if (cause != NULL) {
11489		struct mbuf *m_at, *m_last = NULL;
11490
11491		for (m_at = cause; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
11492			if (SCTP_BUF_NEXT(m_at) == NULL)
11493				m_last = m_at;
11494			cause_len += SCTP_BUF_LEN(m_at);
11495		}
11496		padding_len = cause_len % 4;
11497		if (padding_len != 0) {
11498			padding_len = 4 - padding_len;
11499		}
11500		if (padding_len != 0) {
11501			if (sctp_add_pad_tombuf(m_last, padding_len) == NULL) {
11502				sctp_m_freem(cause);
11503				return;
11504			}
11505		}
11506	} else {
11507		padding_len = 0;
11508	}
11509	/* Get an mbuf for the header. */
11510	len = sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
11511	switch (dst->sa_family) {
11512#ifdef INET
11513	case AF_INET:
11514		len += sizeof(struct ip);
11515		break;
11516#endif
11517#ifdef INET6
11518	case AF_INET6:
11519		len += sizeof(struct ip6_hdr);
11520		break;
11521#endif
11522	default:
11523		break;
11524	}
11525#if defined(INET) || defined(INET6)
11526	if (port) {
11527		len += sizeof(struct udphdr);
11528	}
11529#endif
11530#if defined(__APPLE__)
11531#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
11532	mout = sctp_get_mbuf_for_msg(len + max_linkhdr, 1, M_NOWAIT, 1, MT_DATA);
11533#else
11534	mout = sctp_get_mbuf_for_msg(len + SCTP_MAX_LINKHDR, 1, M_NOWAIT, 1, MT_DATA);
11535#endif
11536#else
11537	mout = sctp_get_mbuf_for_msg(len + max_linkhdr, 1, M_NOWAIT, 1, MT_DATA);
11538#endif
11539	if (mout == NULL) {
11540		if (cause) {
11541			sctp_m_freem(cause);
11542		}
11543		return;
11544	}
11545#if defined(__APPLE__)
11546#if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
11547	SCTP_BUF_RESV_UF(mout, max_linkhdr);
11548#else
11549	SCTP_BUF_RESV_UF(mout, SCTP_MAX_LINKHDR);
11550#endif
11551#else
11552	SCTP_BUF_RESV_UF(mout, max_linkhdr);
11553#endif
11554	SCTP_BUF_LEN(mout) = len;
11555	SCTP_BUF_NEXT(mout) = cause;
11556#if defined(__FreeBSD__)
11557	if (use_mflowid != 0) {
11558		mout->m_pkthdr.flowid = mflowid;
11559		mout->m_flags |= M_FLOWID;
11560	}
11561#endif
11562#ifdef INET
11563	ip = NULL;
11564#endif
11565#ifdef INET6
11566	ip6 = NULL;
11567#endif
11568	switch (dst->sa_family) {
11569#ifdef INET
11570	case AF_INET:
11571		src_sin = (struct sockaddr_in *)src;
11572		dst_sin = (struct sockaddr_in *)dst;
11573		ip = mtod(mout, struct ip *);
11574		ip->ip_v = IPVERSION;
11575		ip->ip_hl = (sizeof(struct ip) >> 2);
11576		ip->ip_tos = 0;
11577#if defined(__FreeBSD__)
11578		ip->ip_id = ip_newid();
11579#elif defined(__APPLE__)
11580#if RANDOM_IP_ID
11581		ip->ip_id = ip_randomid();
11582#else
11583		ip->ip_id = htons(ip_id++);
11584#endif
11585#else
11586                ip->ip_id = htons(ip_id++);
11587#endif
11588		ip->ip_off = 0;
11589		ip->ip_ttl = MODULE_GLOBAL(ip_defttl);
11590		if (port) {
11591			ip->ip_p = IPPROTO_UDP;
11592		} else {
11593			ip->ip_p = IPPROTO_SCTP;
11594		}
11595		ip->ip_src.s_addr = dst_sin->sin_addr.s_addr;
11596		ip->ip_dst.s_addr = src_sin->sin_addr.s_addr;
11597		ip->ip_sum = 0;
11598		len = sizeof(struct ip);
11599		shout = (struct sctphdr *)((caddr_t)ip + len);
11600		break;
11601#endif
11602#ifdef INET6
11603	case AF_INET6:
11604		src_sin6 = (struct sockaddr_in6 *)src;
11605		dst_sin6 = (struct sockaddr_in6 *)dst;
11606		ip6 = mtod(mout, struct ip6_hdr *);
11607		ip6->ip6_flow = htonl(0x60000000);
11608#if defined(__FreeBSD__)
11609		if (V_ip6_auto_flowlabel) {
11610			ip6->ip6_flow |= (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK);
11611		}
11612#endif
11613#if defined(__Userspace__)
11614		ip6->ip6_hlim = IPv6_HOP_LIMIT;
11615#else
11616		ip6->ip6_hlim = MODULE_GLOBAL(ip6_defhlim);
11617#endif
11618		if (port) {
11619			ip6->ip6_nxt = IPPROTO_UDP;
11620		} else {
11621			ip6->ip6_nxt = IPPROTO_SCTP;
11622		}
11623		ip6->ip6_src = dst_sin6->sin6_addr;
11624		ip6->ip6_dst = src_sin6->sin6_addr;
11625		len = sizeof(struct ip6_hdr);
11626		shout = (struct sctphdr *)((caddr_t)ip6 + len);
11627		break;
11628#endif
11629	default:
11630		len = 0;
11631		shout = mtod(mout, struct sctphdr *);
11632		break;
11633	}
11634#if defined(INET) || defined(INET6)
11635	if (port) {
11636		if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
11637			sctp_m_freem(mout);
11638			return;
11639		}
11640		udp = (struct udphdr *)shout;
11641		udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
11642		udp->uh_dport = port;
11643		udp->uh_sum = 0;
11644		udp->uh_ulen = htons(sizeof(struct udphdr) +
11645		                     sizeof(struct sctphdr) +
11646		                     sizeof(struct sctp_chunkhdr) +
11647		                     cause_len + padding_len);
11648		len += sizeof(struct udphdr);
11649		shout = (struct sctphdr *)((caddr_t)shout + sizeof(struct udphdr));
11650	} else {
11651		udp = NULL;
11652	}
11653#endif
11654	shout->src_port = sh->dest_port;
11655	shout->dest_port = sh->src_port;
11656	shout->checksum = 0;
11657	if (vtag) {
11658		shout->v_tag = htonl(vtag);
11659	} else {
11660		shout->v_tag = sh->v_tag;
11661	}
11662	len += sizeof(struct sctphdr);
11663	ch = (struct sctp_chunkhdr *)((caddr_t)shout + sizeof(struct sctphdr));
11664	ch->chunk_type = type;
11665	if (vtag) {
11666		ch->chunk_flags = 0;
11667	} else {
11668		ch->chunk_flags = SCTP_HAD_NO_TCB;
11669	}
11670	ch->chunk_length = htons(sizeof(struct sctp_chunkhdr) + cause_len);
11671	len += sizeof(struct sctp_chunkhdr);
11672	len += cause_len + padding_len;
11673
11674	if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
11675		sctp_m_freem(mout);
11676		return;
11677	}
11678	SCTP_ATTACH_CHAIN(o_pak, mout, len);
11679	switch (dst->sa_family) {
11680#ifdef INET
11681	case AF_INET:
11682#if defined(__APPLE__) || defined(__Panda__)
11683		/* zap the stack pointer to the route */
11684		bzero(&ro, sizeof(sctp_route_t));
11685#if defined(__Panda__)
11686		ro._l_addr.sa.sa_family = AF_INET;
11687#endif
11688#endif
11689		if (port) {
11690#if !defined(__Windows__) && !defined(__Userspace__)
11691#if defined(__FreeBSD__) && ((__FreeBSD_version > 803000 && __FreeBSD_version < 900000) || __FreeBSD_version > 900000)
11692			if (V_udp_cksum) {
11693				udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
11694			} else {
11695				udp->uh_sum = 0;
11696			}
11697#else
11698			udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
11699#endif
11700#else
11701			udp->uh_sum = 0;
11702#endif
11703		}
11704#if defined(__FreeBSD__)
11705#if __FreeBSD_version >= 1000000
11706		ip->ip_len = htons(len);
11707#else
11708		ip->ip_len = len;
11709#endif
11710#elif defined(__APPLE__) || defined(__Userspace__)
11711		ip->ip_len = len;
11712#else
11713		ip->ip_len = htons(len);
11714#endif
11715		if (port) {
11716#if defined(SCTP_WITH_NO_CSUM)
11717			SCTP_STAT_INCR(sctps_sendnocrc);
11718#else
11719			shout->checksum = sctp_calculate_cksum(mout, sizeof(struct ip) + sizeof(struct udphdr));
11720			SCTP_STAT_INCR(sctps_sendswcrc);
11721#endif
11722#if defined(__FreeBSD__) && ((__FreeBSD_version > 803000 && __FreeBSD_version < 900000) || __FreeBSD_version > 900000)
11723			if (V_udp_cksum) {
11724				SCTP_ENABLE_UDP_CSUM(o_pak);
11725			}
11726#else
11727			SCTP_ENABLE_UDP_CSUM(o_pak);
11728#endif
11729		} else {
11730#if defined(SCTP_WITH_NO_CSUM)
11731			SCTP_STAT_INCR(sctps_sendnocrc);
11732#else
11733#if defined(__FreeBSD__) && __FreeBSD_version >= 800000
11734			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11735			mout->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
11736			SCTP_STAT_INCR(sctps_sendhwcrc);
11737#else
11738			shout->checksum = sctp_calculate_cksum(mout, sizeof(struct ip));
11739			SCTP_STAT_INCR(sctps_sendswcrc);
11740#endif
11741#endif
11742		}
11743#ifdef SCTP_PACKET_LOGGING
11744		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
11745			sctp_packet_log(o_pak);
11746		}
11747#endif
11748#if defined(__APPLE__) || defined(__Panda__)
11749		SCTP_IP_OUTPUT(ret, o_pak, &ro, NULL, vrf_id);
11750		/* Free the route if we got one back */
11751		if (ro.ro_rt) {
11752			RTFREE(ro.ro_rt);
11753			ro.ro_rt = NULL;
11754		}
11755#else
11756		SCTP_IP_OUTPUT(ret, o_pak, NULL, NULL, vrf_id);
11757#endif
11758		break;
11759#endif
11760#ifdef INET6
11761	case AF_INET6:
11762		ip6->ip6_plen = len - sizeof(struct ip6_hdr);
11763		if (port) {
11764#if defined(SCTP_WITH_NO_CSUM)
11765			SCTP_STAT_INCR(sctps_sendnocrc);
11766#else
11767			shout->checksum = sctp_calculate_cksum(mout, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
11768			SCTP_STAT_INCR(sctps_sendswcrc);
11769#endif
11770#if defined(__Windows__)
11771			udp->uh_sum = 0;
11772#elif !defined(__Userspace__)
11773			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), len - sizeof(struct ip6_hdr))) == 0) {
11774				udp->uh_sum = 0xffff;
11775			}
11776#endif
11777		} else {
11778#if defined(SCTP_WITH_NO_CSUM)
11779			SCTP_STAT_INCR(sctps_sendnocrc);
11780#else
11781#if defined(__FreeBSD__) && __FreeBSD_version >= 900000
11782#if __FreeBSD_version > 901000
11783			mout->m_pkthdr.csum_flags = CSUM_SCTP_IPV6;
11784#else
11785			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11786#endif
11787			mout->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
11788			SCTP_STAT_INCR(sctps_sendhwcrc);
11789#else
11790			shout->checksum = sctp_calculate_cksum(mout, sizeof(struct ip6_hdr));
11791			SCTP_STAT_INCR(sctps_sendswcrc);
11792#endif
11793#endif
11794		}
11795#ifdef SCTP_PACKET_LOGGING
11796		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
11797			sctp_packet_log(o_pak);
11798		}
11799#endif
11800		SCTP_IP6_OUTPUT(ret, o_pak, NULL, NULL, NULL, vrf_id);
11801		break;
11802#endif
11803#if defined(__Userspace__)
11804	case AF_CONN:
11805	{
11806		char *buffer;
11807		struct sockaddr_conn *sconn;
11808
11809		sconn = (struct sockaddr_conn *)src;
11810#if defined(SCTP_WITH_NO_CSUM)
11811		SCTP_STAT_INCR(sctps_sendnocrc);
11812#else
11813		shout->checksum = sctp_calculate_cksum(mout, 0);
11814		SCTP_STAT_INCR(sctps_sendswcrc);
11815#endif
11816#ifdef SCTP_PACKET_LOGGING
11817		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
11818			sctp_packet_log(mout);
11819		}
11820#endif
11821		/* Don't alloc/free for each packet */
11822		if ((buffer = malloc(len)) != NULL) {
11823			m_copydata(mout, 0, len, buffer);
11824			SCTP_BASE_VAR(conn_output)(sconn->sconn_addr, buffer, len, 0, 0);
11825			free(buffer);
11826		}
11827		sctp_m_freem(mout);
11828		break;
11829	}
11830#endif
11831	default:
11832		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Unknown protocol (TSNH) type %d\n",
11833		        dst->sa_family);
11834		sctp_m_freem(mout);
11835		SCTP_LTRACE_ERR_RET_PKT(mout, NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
11836		return;
11837	}
11838	SCTP_STAT_INCR(sctps_sendpackets);
11839	SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
11840	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11841	return;
11842}
11843
11844void
11845sctp_send_shutdown_complete2(struct sockaddr *src, struct sockaddr *dst,
11846                             struct sctphdr *sh,
11847#if defined(__FreeBSD__)
11848                             uint8_t use_mflowid, uint32_t mflowid,
11849#endif
11850                             uint32_t vrf_id, uint16_t port)
11851{
11852	sctp_send_resp_msg(src, dst, sh, 0, SCTP_SHUTDOWN_COMPLETE, NULL,
11853#if defined(__FreeBSD__)
11854	                   use_mflowid, mflowid,
11855#endif
11856	                   vrf_id, port);
11857}
11858
11859void
11860sctp_send_hb(struct sctp_tcb *stcb, struct sctp_nets *net,int so_locked
11861#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
11862	SCTP_UNUSED
11863#endif
11864)
11865{
11866	struct sctp_tmit_chunk *chk;
11867	struct sctp_heartbeat_chunk *hb;
11868	struct timeval now;
11869
11870	SCTP_TCB_LOCK_ASSERT(stcb);
11871	if (net == NULL) {
11872		return;
11873	}
11874	(void)SCTP_GETTIME_TIMEVAL(&now);
11875	switch (net->ro._l_addr.sa.sa_family) {
11876#ifdef INET
11877	case AF_INET:
11878		break;
11879#endif
11880#ifdef INET6
11881	case AF_INET6:
11882		break;
11883#endif
11884#if defined(__Userspace__)
11885	case AF_CONN:
11886		break;
11887#endif
11888	default:
11889		return;
11890	}
11891	sctp_alloc_a_chunk(stcb, chk);
11892	if (chk == NULL) {
11893		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Gak, can't get a chunk for hb\n");
11894		return;
11895	}
11896
11897	chk->copy_by_ref = 0;
11898	chk->rec.chunk_id.id = SCTP_HEARTBEAT_REQUEST;
11899	chk->rec.chunk_id.can_take_data = 1;
11900	chk->asoc = &stcb->asoc;
11901	chk->send_size = sizeof(struct sctp_heartbeat_chunk);
11902
11903	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
11904	if (chk->data == NULL) {
11905		sctp_free_a_chunk(stcb, chk, so_locked);
11906		return;
11907	}
11908	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11909	SCTP_BUF_LEN(chk->data) = chk->send_size;
11910	chk->sent = SCTP_DATAGRAM_UNSENT;
11911	chk->snd_count = 0;
11912	chk->whoTo = net;
11913	atomic_add_int(&chk->whoTo->ref_count, 1);
11914	/* Now we have a mbuf that we can fill in with the details */
11915	hb = mtod(chk->data, struct sctp_heartbeat_chunk *);
11916	memset(hb, 0, sizeof(struct sctp_heartbeat_chunk));
11917	/* fill out chunk header */
11918	hb->ch.chunk_type = SCTP_HEARTBEAT_REQUEST;
11919	hb->ch.chunk_flags = 0;
11920	hb->ch.chunk_length = htons(chk->send_size);
11921	/* Fill out hb parameter */
11922	hb->heartbeat.hb_info.ph.param_type = htons(SCTP_HEARTBEAT_INFO);
11923	hb->heartbeat.hb_info.ph.param_length = htons(sizeof(struct sctp_heartbeat_info_param));
11924	hb->heartbeat.hb_info.time_value_1 = now.tv_sec;
11925	hb->heartbeat.hb_info.time_value_2 = now.tv_usec;
11926	/* Did our user request this one, put it in */
11927	hb->heartbeat.hb_info.addr_family = net->ro._l_addr.sa.sa_family;
11928#ifdef HAVE_SA_LEN
11929	hb->heartbeat.hb_info.addr_len = net->ro._l_addr.sa.sa_len;
11930#else
11931	switch (net->ro._l_addr.sa.sa_family) {
11932#ifdef INET
11933	case AF_INET:
11934		hb->heartbeat.hb_info.addr_len = sizeof(struct sockaddr_in);
11935		break;
11936#endif
11937#ifdef INET6
11938	case AF_INET6:
11939		hb->heartbeat.hb_info.addr_len = sizeof(struct sockaddr_in6);
11940		break;
11941#endif
11942#if defined(__Userspace__)
11943	case AF_CONN:
11944		hb->heartbeat.hb_info.addr_len = sizeof(struct sockaddr_conn);
11945		break;
11946#endif
11947	default:
11948		hb->heartbeat.hb_info.addr_len = 0;
11949		break;
11950	}
11951#endif
11952	if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
11953		/*
11954		 * we only take from the entropy pool if the address is not
11955		 * confirmed.
11956		 */
11957		net->heartbeat_random1 = hb->heartbeat.hb_info.random_value1 = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
11958		net->heartbeat_random2 = hb->heartbeat.hb_info.random_value2 = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
11959	} else {
11960		net->heartbeat_random1 = hb->heartbeat.hb_info.random_value1 = 0;
11961		net->heartbeat_random2 = hb->heartbeat.hb_info.random_value2 = 0;
11962	}
11963	switch (net->ro._l_addr.sa.sa_family) {
11964#ifdef INET
11965	case AF_INET:
11966		memcpy(hb->heartbeat.hb_info.address,
11967		       &net->ro._l_addr.sin.sin_addr,
11968		       sizeof(net->ro._l_addr.sin.sin_addr));
11969		break;
11970#endif
11971#ifdef INET6
11972	case AF_INET6:
11973		memcpy(hb->heartbeat.hb_info.address,
11974		       &net->ro._l_addr.sin6.sin6_addr,
11975		       sizeof(net->ro._l_addr.sin6.sin6_addr));
11976		break;
11977#endif
11978#if defined(__Userspace__)
11979	case AF_CONN:
11980		memcpy(hb->heartbeat.hb_info.address,
11981		       &net->ro._l_addr.sconn.sconn_addr,
11982		       sizeof(net->ro._l_addr.sconn.sconn_addr));
11983		break;
11984#endif
11985	default:
11986		return;
11987		break;
11988	}
11989	net->hb_responded = 0;
11990	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
11991	stcb->asoc.ctrl_queue_cnt++;
11992	SCTP_STAT_INCR(sctps_sendheartbeat);
11993	return;
11994}
11995
11996void
11997sctp_send_ecn_echo(struct sctp_tcb *stcb, struct sctp_nets *net,
11998		   uint32_t high_tsn)
11999{
12000	struct sctp_association *asoc;
12001	struct sctp_ecne_chunk *ecne;
12002	struct sctp_tmit_chunk *chk;
12003
12004	if (net == NULL) {
12005		return;
12006	}
12007	asoc = &stcb->asoc;
12008	SCTP_TCB_LOCK_ASSERT(stcb);
12009	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
12010		if ((chk->rec.chunk_id.id == SCTP_ECN_ECHO) && (net == chk->whoTo)) {
12011			/* found a previous ECN_ECHO update it if needed */
12012			uint32_t cnt, ctsn;
12013			ecne = mtod(chk->data, struct sctp_ecne_chunk *);
12014			ctsn = ntohl(ecne->tsn);
12015			if (SCTP_TSN_GT(high_tsn, ctsn)) {
12016				ecne->tsn = htonl(high_tsn);
12017				SCTP_STAT_INCR(sctps_queue_upd_ecne);
12018			}
12019			cnt = ntohl(ecne->num_pkts_since_cwr);
12020			cnt++;
12021			ecne->num_pkts_since_cwr = htonl(cnt);
12022			return;
12023		}
12024	}
12025	/* nope could not find one to update so we must build one */
12026	sctp_alloc_a_chunk(stcb, chk);
12027	if (chk == NULL) {
12028		return;
12029	}
12030	chk->copy_by_ref = 0;
12031	SCTP_STAT_INCR(sctps_queue_upd_ecne);
12032	chk->rec.chunk_id.id = SCTP_ECN_ECHO;
12033	chk->rec.chunk_id.can_take_data = 0;
12034	chk->asoc = &stcb->asoc;
12035	chk->send_size = sizeof(struct sctp_ecne_chunk);
12036	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
12037	if (chk->data == NULL) {
12038		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
12039		return;
12040	}
12041	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
12042	SCTP_BUF_LEN(chk->data) = chk->send_size;
12043	chk->sent = SCTP_DATAGRAM_UNSENT;
12044	chk->snd_count = 0;
12045	chk->whoTo = net;
12046	atomic_add_int(&chk->whoTo->ref_count, 1);
12047
12048	stcb->asoc.ecn_echo_cnt_onq++;
12049	ecne = mtod(chk->data, struct sctp_ecne_chunk *);
12050	ecne->ch.chunk_type = SCTP_ECN_ECHO;
12051	ecne->ch.chunk_flags = 0;
12052	ecne->ch.chunk_length = htons(sizeof(struct sctp_ecne_chunk));
12053	ecne->tsn = htonl(high_tsn);
12054	ecne->num_pkts_since_cwr = htonl(1);
12055	TAILQ_INSERT_HEAD(&stcb->asoc.control_send_queue, chk, sctp_next);
12056	asoc->ctrl_queue_cnt++;
12057}
12058
12059void
12060sctp_send_packet_dropped(struct sctp_tcb *stcb, struct sctp_nets *net,
12061    struct mbuf *m, int len, int iphlen, int bad_crc)
12062{
12063	struct sctp_association *asoc;
12064	struct sctp_pktdrop_chunk *drp;
12065	struct sctp_tmit_chunk *chk;
12066	uint8_t *datap;
12067	int was_trunc = 0;
12068	int fullsz = 0;
12069	long spc;
12070	int offset;
12071	struct sctp_chunkhdr *ch, chunk_buf;
12072	unsigned int chk_length;
12073
12074        if (!stcb) {
12075            return;
12076        }
12077	asoc = &stcb->asoc;
12078	SCTP_TCB_LOCK_ASSERT(stcb);
12079	if (asoc->pktdrop_supported == 0) {
12080		/*-
12081		 * peer must declare support before I send one.
12082		 */
12083		return;
12084	}
12085	if (stcb->sctp_socket == NULL) {
12086		return;
12087	}
12088	sctp_alloc_a_chunk(stcb, chk);
12089	if (chk == NULL) {
12090		return;
12091	}
12092	chk->copy_by_ref = 0;
12093	len -= iphlen;
12094	chk->send_size = len;
12095        /* Validate that we do not have an ABORT in here. */
12096	offset = iphlen + sizeof(struct sctphdr);
12097	ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
12098						   sizeof(*ch), (uint8_t *) & chunk_buf);
12099	while (ch != NULL) {
12100		chk_length = ntohs(ch->chunk_length);
12101		if (chk_length < sizeof(*ch)) {
12102			/* break to abort land */
12103			break;
12104		}
12105		switch (ch->chunk_type) {
12106		case SCTP_PACKET_DROPPED:
12107		case SCTP_ABORT_ASSOCIATION:
12108		case SCTP_INITIATION_ACK:
12109			/**
12110			 * We don't respond with an PKT-DROP to an ABORT
12111			 * or PKT-DROP. We also do not respond to an
12112			 * INIT-ACK, because we can't know if the initiation
12113			 * tag is correct or not.
12114			 */
12115			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
12116			return;
12117		default:
12118			break;
12119		}
12120		offset += SCTP_SIZE32(chk_length);
12121		ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
12122		    sizeof(*ch), (uint8_t *) & chunk_buf);
12123	}
12124
12125	if ((len + SCTP_MAX_OVERHEAD + sizeof(struct sctp_pktdrop_chunk)) >
12126	    min(stcb->asoc.smallest_mtu, MCLBYTES)) {
12127		/* only send 1 mtu worth, trim off the
12128		 * excess on the end.
12129		 */
12130		fullsz = len;
12131		len = min(stcb->asoc.smallest_mtu, MCLBYTES) - SCTP_MAX_OVERHEAD;
12132		was_trunc = 1;
12133	}
12134	chk->asoc = &stcb->asoc;
12135	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
12136	if (chk->data == NULL) {
12137jump_out:
12138		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
12139		return;
12140	}
12141	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
12142	drp = mtod(chk->data, struct sctp_pktdrop_chunk *);
12143	if (drp == NULL) {
12144		sctp_m_freem(chk->data);
12145		chk->data = NULL;
12146		goto jump_out;
12147	}
12148	chk->book_size = SCTP_SIZE32((chk->send_size + sizeof(struct sctp_pktdrop_chunk) +
12149	    sizeof(struct sctphdr) + SCTP_MED_OVERHEAD));
12150	chk->book_size_scale = 0;
12151	if (was_trunc) {
12152		drp->ch.chunk_flags = SCTP_PACKET_TRUNCATED;
12153		drp->trunc_len = htons(fullsz);
12154		/* Len is already adjusted to size minus overhead above
12155		 * take out the pkt_drop chunk itself from it.
12156		 */
12157		chk->send_size = len - sizeof(struct sctp_pktdrop_chunk);
12158		len = chk->send_size;
12159	} else {
12160		/* no truncation needed */
12161		drp->ch.chunk_flags = 0;
12162		drp->trunc_len = htons(0);
12163	}
12164	if (bad_crc) {
12165		drp->ch.chunk_flags |= SCTP_BADCRC;
12166	}
12167	chk->send_size += sizeof(struct sctp_pktdrop_chunk);
12168	SCTP_BUF_LEN(chk->data) = chk->send_size;
12169	chk->sent = SCTP_DATAGRAM_UNSENT;
12170	chk->snd_count = 0;
12171	if (net) {
12172		/* we should hit here */
12173		chk->whoTo = net;
12174		atomic_add_int(&chk->whoTo->ref_count, 1);
12175	} else {
12176		chk->whoTo = NULL;
12177	}
12178	chk->rec.chunk_id.id = SCTP_PACKET_DROPPED;
12179	chk->rec.chunk_id.can_take_data = 1;
12180	drp->ch.chunk_type = SCTP_PACKET_DROPPED;
12181	drp->ch.chunk_length = htons(chk->send_size);
12182	spc = SCTP_SB_LIMIT_RCV(stcb->sctp_socket);
12183	if (spc < 0) {
12184		spc = 0;
12185	}
12186	drp->bottle_bw = htonl(spc);
12187	if (asoc->my_rwnd) {
12188		drp->current_onq = htonl(asoc->size_on_reasm_queue +
12189		    asoc->size_on_all_streams +
12190		    asoc->my_rwnd_control_len +
12191		    stcb->sctp_socket->so_rcv.sb_cc);
12192	} else {
12193		/*-
12194		 * If my rwnd is 0, possibly from mbuf depletion as well as
12195		 * space used, tell the peer there is NO space aka onq == bw
12196		 */
12197		drp->current_onq = htonl(spc);
12198	}
12199	drp->reserved = 0;
12200	datap = drp->data;
12201	m_copydata(m, iphlen, len, (caddr_t)datap);
12202	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
12203	asoc->ctrl_queue_cnt++;
12204}
12205
12206void
12207sctp_send_cwr(struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t high_tsn, uint8_t override)
12208{
12209	struct sctp_association *asoc;
12210	struct sctp_cwr_chunk *cwr;
12211	struct sctp_tmit_chunk *chk;
12212
12213	SCTP_TCB_LOCK_ASSERT(stcb);
12214	if (net == NULL) {
12215		return;
12216	}
12217	asoc = &stcb->asoc;
12218	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
12219		if ((chk->rec.chunk_id.id == SCTP_ECN_CWR) && (net == chk->whoTo)) {
12220			/* found a previous CWR queued to same destination update it if needed */
12221			uint32_t ctsn;
12222			cwr = mtod(chk->data, struct sctp_cwr_chunk *);
12223			ctsn = ntohl(cwr->tsn);
12224			if (SCTP_TSN_GT(high_tsn, ctsn)) {
12225				cwr->tsn = htonl(high_tsn);
12226			}
12227			if (override & SCTP_CWR_REDUCE_OVERRIDE) {
12228				/* Make sure override is carried */
12229				cwr->ch.chunk_flags |= SCTP_CWR_REDUCE_OVERRIDE;
12230			}
12231			return;
12232		}
12233	}
12234	sctp_alloc_a_chunk(stcb, chk);
12235	if (chk == NULL) {
12236		return;
12237	}
12238	chk->copy_by_ref = 0;
12239	chk->rec.chunk_id.id = SCTP_ECN_CWR;
12240	chk->rec.chunk_id.can_take_data = 1;
12241	chk->asoc = &stcb->asoc;
12242	chk->send_size = sizeof(struct sctp_cwr_chunk);
12243	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
12244	if (chk->data == NULL) {
12245		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
12246		return;
12247	}
12248	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
12249	SCTP_BUF_LEN(chk->data) = chk->send_size;
12250	chk->sent = SCTP_DATAGRAM_UNSENT;
12251	chk->snd_count = 0;
12252	chk->whoTo = net;
12253	atomic_add_int(&chk->whoTo->ref_count, 1);
12254	cwr = mtod(chk->data, struct sctp_cwr_chunk *);
12255	cwr->ch.chunk_type = SCTP_ECN_CWR;
12256	cwr->ch.chunk_flags = override;
12257	cwr->ch.chunk_length = htons(sizeof(struct sctp_cwr_chunk));
12258	cwr->tsn = htonl(high_tsn);
12259	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
12260	asoc->ctrl_queue_cnt++;
12261}
12262
12263void
12264sctp_add_stream_reset_out(struct sctp_tmit_chunk *chk,
12265                          int number_entries, uint16_t * list,
12266                          uint32_t seq, uint32_t resp_seq, uint32_t last_sent)
12267{
12268	uint16_t len, old_len, i;
12269	struct sctp_stream_reset_out_request *req_out;
12270	struct sctp_chunkhdr *ch;
12271
12272	ch = mtod(chk->data, struct sctp_chunkhdr *);
12273	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12274
12275	/* get to new offset for the param. */
12276	req_out = (struct sctp_stream_reset_out_request *)((caddr_t)ch + len);
12277	/* now how long will this param be? */
12278	len = (sizeof(struct sctp_stream_reset_out_request) + (sizeof(uint16_t) * number_entries));
12279	req_out->ph.param_type = htons(SCTP_STR_RESET_OUT_REQUEST);
12280	req_out->ph.param_length = htons(len);
12281	req_out->request_seq = htonl(seq);
12282	req_out->response_seq = htonl(resp_seq);
12283	req_out->send_reset_at_tsn = htonl(last_sent);
12284	if (number_entries) {
12285		for (i = 0; i < number_entries; i++) {
12286			req_out->list_of_streams[i] = htons(list[i]);
12287		}
12288	}
12289	if (SCTP_SIZE32(len) > len) {
12290		/*-
12291		 * Need to worry about the pad we may end up adding to the
12292		 * end. This is easy since the struct is either aligned to 4
12293		 * bytes or 2 bytes off.
12294		 */
12295		req_out->list_of_streams[number_entries] = 0;
12296	}
12297	/* now fix the chunk length */
12298	ch->chunk_length = htons(len + old_len);
12299	chk->book_size = len + old_len;
12300	chk->book_size_scale = 0;
12301	chk->send_size = SCTP_SIZE32(chk->book_size);
12302	SCTP_BUF_LEN(chk->data) = chk->send_size;
12303	return;
12304}
12305
12306static void
12307sctp_add_stream_reset_in(struct sctp_tmit_chunk *chk,
12308                         int number_entries, uint16_t *list,
12309                         uint32_t seq)
12310{
12311	uint16_t len, old_len, i;
12312	struct sctp_stream_reset_in_request *req_in;
12313	struct sctp_chunkhdr *ch;
12314
12315	ch = mtod(chk->data, struct sctp_chunkhdr *);
12316	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12317
12318	/* get to new offset for the param. */
12319	req_in = (struct sctp_stream_reset_in_request *)((caddr_t)ch + len);
12320	/* now how long will this param be? */
12321	len = (sizeof(struct sctp_stream_reset_in_request) + (sizeof(uint16_t) * number_entries));
12322	req_in->ph.param_type = htons(SCTP_STR_RESET_IN_REQUEST);
12323	req_in->ph.param_length = htons(len);
12324	req_in->request_seq = htonl(seq);
12325	if (number_entries) {
12326		for (i = 0; i < number_entries; i++) {
12327			req_in->list_of_streams[i] = htons(list[i]);
12328		}
12329	}
12330	if (SCTP_SIZE32(len) > len) {
12331		/*-
12332		 * Need to worry about the pad we may end up adding to the
12333		 * end. This is easy since the struct is either aligned to 4
12334		 * bytes or 2 bytes off.
12335		 */
12336		req_in->list_of_streams[number_entries] = 0;
12337	}
12338	/* now fix the chunk length */
12339	ch->chunk_length = htons(len + old_len);
12340	chk->book_size = len + old_len;
12341	chk->book_size_scale = 0;
12342	chk->send_size = SCTP_SIZE32(chk->book_size);
12343	SCTP_BUF_LEN(chk->data) = chk->send_size;
12344	return;
12345}
12346
12347static void
12348sctp_add_stream_reset_tsn(struct sctp_tmit_chunk *chk,
12349                          uint32_t seq)
12350{
12351	uint16_t len, old_len;
12352	struct sctp_stream_reset_tsn_request *req_tsn;
12353	struct sctp_chunkhdr *ch;
12354
12355	ch = mtod(chk->data, struct sctp_chunkhdr *);
12356	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12357
12358	/* get to new offset for the param. */
12359	req_tsn = (struct sctp_stream_reset_tsn_request *)((caddr_t)ch + len);
12360	/* now how long will this param be? */
12361	len = sizeof(struct sctp_stream_reset_tsn_request);
12362	req_tsn->ph.param_type = htons(SCTP_STR_RESET_TSN_REQUEST);
12363	req_tsn->ph.param_length = htons(len);
12364	req_tsn->request_seq = htonl(seq);
12365
12366	/* now fix the chunk length */
12367	ch->chunk_length = htons(len + old_len);
12368	chk->send_size = len + old_len;
12369	chk->book_size = SCTP_SIZE32(chk->send_size);
12370	chk->book_size_scale = 0;
12371	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
12372	return;
12373}
12374
12375void
12376sctp_add_stream_reset_result(struct sctp_tmit_chunk *chk,
12377                             uint32_t resp_seq, uint32_t result)
12378{
12379	uint16_t len, old_len;
12380	struct sctp_stream_reset_response *resp;
12381	struct sctp_chunkhdr *ch;
12382
12383	ch = mtod(chk->data, struct sctp_chunkhdr *);
12384	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12385
12386	/* get to new offset for the param. */
12387	resp = (struct sctp_stream_reset_response *)((caddr_t)ch + len);
12388	/* now how long will this param be? */
12389	len = sizeof(struct sctp_stream_reset_response);
12390	resp->ph.param_type = htons(SCTP_STR_RESET_RESPONSE);
12391	resp->ph.param_length = htons(len);
12392	resp->response_seq = htonl(resp_seq);
12393	resp->result = ntohl(result);
12394
12395	/* now fix the chunk length */
12396	ch->chunk_length = htons(len + old_len);
12397	chk->book_size = len + old_len;
12398	chk->book_size_scale = 0;
12399	chk->send_size = SCTP_SIZE32(chk->book_size);
12400	SCTP_BUF_LEN(chk->data) = chk->send_size;
12401	return;
12402}
12403
12404void
12405sctp_add_stream_reset_result_tsn(struct sctp_tmit_chunk *chk,
12406                                 uint32_t resp_seq, uint32_t result,
12407                                 uint32_t send_una, uint32_t recv_next)
12408{
12409	uint16_t len, old_len;
12410	struct sctp_stream_reset_response_tsn *resp;
12411	struct sctp_chunkhdr *ch;
12412
12413	ch = mtod(chk->data, struct sctp_chunkhdr *);
12414	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12415
12416	/* get to new offset for the param. */
12417	resp = (struct sctp_stream_reset_response_tsn *)((caddr_t)ch + len);
12418	/* now how long will this param be? */
12419	len = sizeof(struct sctp_stream_reset_response_tsn);
12420	resp->ph.param_type = htons(SCTP_STR_RESET_RESPONSE);
12421	resp->ph.param_length = htons(len);
12422	resp->response_seq = htonl(resp_seq);
12423	resp->result = htonl(result);
12424	resp->senders_next_tsn = htonl(send_una);
12425	resp->receivers_next_tsn = htonl(recv_next);
12426
12427	/* now fix the chunk length */
12428	ch->chunk_length = htons(len + old_len);
12429	chk->book_size = len + old_len;
12430	chk->send_size = SCTP_SIZE32(chk->book_size);
12431	chk->book_size_scale = 0;
12432	SCTP_BUF_LEN(chk->data) = chk->send_size;
12433	return;
12434}
12435
12436static void
12437sctp_add_an_out_stream(struct sctp_tmit_chunk *chk,
12438		       uint32_t seq,
12439		       uint16_t adding)
12440{
12441	uint16_t len, old_len;
12442	struct sctp_chunkhdr *ch;
12443	struct sctp_stream_reset_add_strm *addstr;
12444
12445	ch = mtod(chk->data, struct sctp_chunkhdr *);
12446	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12447
12448	/* get to new offset for the param. */
12449	addstr = (struct sctp_stream_reset_add_strm *)((caddr_t)ch + len);
12450	/* now how long will this param be? */
12451	len = sizeof(struct sctp_stream_reset_add_strm);
12452
12453	/* Fill it out. */
12454	addstr->ph.param_type = htons(SCTP_STR_RESET_ADD_OUT_STREAMS);
12455	addstr->ph.param_length = htons(len);
12456	addstr->request_seq = htonl(seq);
12457	addstr->number_of_streams = htons(adding);
12458	addstr->reserved = 0;
12459
12460	/* now fix the chunk length */
12461	ch->chunk_length = htons(len + old_len);
12462	chk->send_size = len + old_len;
12463	chk->book_size = SCTP_SIZE32(chk->send_size);
12464	chk->book_size_scale = 0;
12465	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
12466	return;
12467}
12468
12469static void
12470sctp_add_an_in_stream(struct sctp_tmit_chunk *chk,
12471                      uint32_t seq,
12472                      uint16_t adding)
12473{
12474	uint16_t len, old_len;
12475	struct sctp_chunkhdr *ch;
12476	struct sctp_stream_reset_add_strm *addstr;
12477
12478	ch = mtod(chk->data, struct sctp_chunkhdr *);
12479	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12480
12481	/* get to new offset for the param. */
12482	addstr = (struct sctp_stream_reset_add_strm *)((caddr_t)ch + len);
12483	/* now how long will this param be? */
12484	len = sizeof(struct sctp_stream_reset_add_strm);
12485	/* Fill it out. */
12486	addstr->ph.param_type = htons(SCTP_STR_RESET_ADD_IN_STREAMS);
12487	addstr->ph.param_length = htons(len);
12488	addstr->request_seq = htonl(seq);
12489	addstr->number_of_streams = htons(adding);
12490	addstr->reserved = 0;
12491
12492	/* now fix the chunk length */
12493	ch->chunk_length = htons(len + old_len);
12494	chk->send_size = len + old_len;
12495	chk->book_size = SCTP_SIZE32(chk->send_size);
12496	chk->book_size_scale = 0;
12497	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
12498	return;
12499}
12500
12501int
12502sctp_send_str_reset_req(struct sctp_tcb *stcb,
12503                        int number_entries, uint16_t *list,
12504                        uint8_t send_out_req,
12505                        uint8_t send_in_req,
12506                        uint8_t send_tsn_req,
12507                        uint8_t add_stream,
12508                        uint16_t adding_o,
12509                        uint16_t adding_i, uint8_t peer_asked)
12510{
12511
12512	struct sctp_association *asoc;
12513	struct sctp_tmit_chunk *chk;
12514	struct sctp_chunkhdr *ch;
12515	uint32_t seq;
12516
12517	asoc = &stcb->asoc;
12518	if (asoc->stream_reset_outstanding) {
12519		/*-
12520		 * Already one pending, must get ACK back to clear the flag.
12521		 */
12522		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EBUSY);
12523		return (EBUSY);
12524	}
12525	if ((send_out_req == 0) && (send_in_req == 0) && (send_tsn_req == 0) &&
12526	    (add_stream == 0)) {
12527		/* nothing to do */
12528		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12529		return (EINVAL);
12530	}
12531	if (send_tsn_req && (send_out_req || send_in_req)) {
12532		/* error, can't do that */
12533		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12534		return (EINVAL);
12535	}
12536	sctp_alloc_a_chunk(stcb, chk);
12537	if (chk == NULL) {
12538		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12539		return (ENOMEM);
12540	}
12541	chk->copy_by_ref = 0;
12542	chk->rec.chunk_id.id = SCTP_STREAM_RESET;
12543	chk->rec.chunk_id.can_take_data = 0;
12544	chk->asoc = &stcb->asoc;
12545	chk->book_size = sizeof(struct sctp_chunkhdr);
12546	chk->send_size = SCTP_SIZE32(chk->book_size);
12547	chk->book_size_scale = 0;
12548
12549	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
12550	if (chk->data == NULL) {
12551		sctp_free_a_chunk(stcb, chk, SCTP_SO_LOCKED);
12552		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12553		return (ENOMEM);
12554	}
12555	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
12556
12557	/* setup chunk parameters */
12558	chk->sent = SCTP_DATAGRAM_UNSENT;
12559	chk->snd_count = 0;
12560	if (stcb->asoc.alternate) {
12561		chk->whoTo = stcb->asoc.alternate;
12562	} else {
12563		chk->whoTo = stcb->asoc.primary_destination;
12564	}
12565	atomic_add_int(&chk->whoTo->ref_count, 1);
12566	ch = mtod(chk->data, struct sctp_chunkhdr *);
12567	ch->chunk_type = SCTP_STREAM_RESET;
12568	ch->chunk_flags = 0;
12569	ch->chunk_length = htons(chk->book_size);
12570	SCTP_BUF_LEN(chk->data) = chk->send_size;
12571
12572	seq = stcb->asoc.str_reset_seq_out;
12573	if (send_out_req) {
12574		sctp_add_stream_reset_out(chk, number_entries, list,
12575					  seq, (stcb->asoc.str_reset_seq_in - 1), (stcb->asoc.sending_seq - 1));
12576		asoc->stream_reset_out_is_outstanding = 1;
12577		seq++;
12578		asoc->stream_reset_outstanding++;
12579	}
12580	if ((add_stream & 1) &&
12581	    ((stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt) < adding_o)) {
12582		/* Need to allocate more */
12583		struct sctp_stream_out *oldstream;
12584		struct sctp_stream_queue_pending *sp, *nsp;
12585		int i;
12586#if defined(SCTP_DETAILED_STR_STATS)
12587		int j;
12588#endif
12589
12590		oldstream = stcb->asoc.strmout;
12591		/* get some more */
12592		SCTP_MALLOC(stcb->asoc.strmout, struct sctp_stream_out *,
12593			    ((stcb->asoc.streamoutcnt+adding_o) * sizeof(struct sctp_stream_out)),
12594			    SCTP_M_STRMO);
12595		if (stcb->asoc.strmout == NULL) {
12596			uint8_t x;
12597			stcb->asoc.strmout = oldstream;
12598			/* Turn off the bit */
12599			x = add_stream & 0xfe;
12600			add_stream = x;
12601			goto skip_stuff;
12602		}
12603		/* Ok now we proceed with copying the old out stuff and
12604		 * initializing the new stuff.
12605		 */
12606		SCTP_TCB_SEND_LOCK(stcb);
12607		stcb->asoc.ss_functions.sctp_ss_clear(stcb, &stcb->asoc, 0, 1);
12608		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
12609			TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
12610			stcb->asoc.strmout[i].chunks_on_queues = oldstream[i].chunks_on_queues;
12611			stcb->asoc.strmout[i].next_sequence_send = oldstream[i].next_sequence_send;
12612			stcb->asoc.strmout[i].last_msg_incomplete = oldstream[i].last_msg_incomplete;
12613			stcb->asoc.strmout[i].stream_no = i;
12614			stcb->asoc.ss_functions.sctp_ss_init_stream(&stcb->asoc.strmout[i], &oldstream[i]);
12615			/* now anything on those queues? */
12616			TAILQ_FOREACH_SAFE(sp, &oldstream[i].outqueue, next, nsp) {
12617				TAILQ_REMOVE(&oldstream[i].outqueue, sp, next);
12618				TAILQ_INSERT_TAIL(&stcb->asoc.strmout[i].outqueue, sp, next);
12619			}
12620			/* Now move assoc pointers too */
12621			if (stcb->asoc.last_out_stream == &oldstream[i]) {
12622				stcb->asoc.last_out_stream = &stcb->asoc.strmout[i];
12623			}
12624			if (stcb->asoc.locked_on_sending == &oldstream[i]) {
12625				stcb->asoc.locked_on_sending = &stcb->asoc.strmout[i];
12626			}
12627		}
12628		/* now the new streams */
12629		stcb->asoc.ss_functions.sctp_ss_init(stcb, &stcb->asoc, 1);
12630		for (i = stcb->asoc.streamoutcnt; i < (stcb->asoc.streamoutcnt + adding_o); i++) {
12631			TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
12632			stcb->asoc.strmout[i].chunks_on_queues = 0;
12633#if defined(SCTP_DETAILED_STR_STATS)
12634			for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
12635				stcb->asoc.strmout[i].abandoned_sent[j] = 0;
12636				stcb->asoc.strmout[i].abandoned_unsent[j] = 0;
12637			}
12638#else
12639			stcb->asoc.strmout[i].abandoned_sent[0] = 0;
12640			stcb->asoc.strmout[i].abandoned_unsent[0] = 0;
12641#endif
12642			stcb->asoc.strmout[i].next_sequence_send = 0x0;
12643			stcb->asoc.strmout[i].stream_no = i;
12644			stcb->asoc.strmout[i].last_msg_incomplete = 0;
12645			stcb->asoc.ss_functions.sctp_ss_init_stream(&stcb->asoc.strmout[i], NULL);
12646		}
12647		stcb->asoc.strm_realoutsize = stcb->asoc.streamoutcnt + adding_o;
12648		SCTP_FREE(oldstream, SCTP_M_STRMO);
12649		SCTP_TCB_SEND_UNLOCK(stcb);
12650	}
12651skip_stuff:
12652	if ((add_stream & 1) && (adding_o > 0)) {
12653		asoc->strm_pending_add_size = adding_o;
12654		asoc->peer_req_out = peer_asked;
12655		sctp_add_an_out_stream(chk, seq, adding_o);
12656		seq++;
12657		asoc->stream_reset_outstanding++;
12658	}
12659	if ((add_stream & 2) && (adding_i > 0)) {
12660		sctp_add_an_in_stream(chk, seq, adding_i);
12661		seq++;
12662		asoc->stream_reset_outstanding++;
12663	}
12664	if (send_in_req) {
12665		sctp_add_stream_reset_in(chk, number_entries, list, seq);
12666		seq++;
12667		asoc->stream_reset_outstanding++;
12668	}
12669	if (send_tsn_req) {
12670		sctp_add_stream_reset_tsn(chk, seq);
12671		asoc->stream_reset_outstanding++;
12672	}
12673	asoc->str_reset = chk;
12674	/* insert the chunk for sending */
12675	TAILQ_INSERT_TAIL(&asoc->control_send_queue,
12676			  chk,
12677			  sctp_next);
12678	asoc->ctrl_queue_cnt++;
12679	sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
12680	return (0);
12681}
12682
12683void
12684sctp_send_abort(struct mbuf *m, int iphlen, struct sockaddr *src, struct sockaddr *dst,
12685                struct sctphdr *sh, uint32_t vtag, struct mbuf *cause,
12686#if defined(__FreeBSD__)
12687                uint8_t use_mflowid, uint32_t mflowid,
12688#endif
12689                uint32_t vrf_id, uint16_t port)
12690{
12691	/* Don't respond to an ABORT with an ABORT. */
12692	if (sctp_is_there_an_abort_here(m, iphlen, &vtag)) {
12693		if (cause)
12694			sctp_m_freem(cause);
12695		return;
12696	}
12697	sctp_send_resp_msg(src, dst, sh, vtag, SCTP_ABORT_ASSOCIATION, cause,
12698#if defined(__FreeBSD__)
12699	                   use_mflowid, mflowid,
12700#endif
12701	                   vrf_id, port);
12702	return;
12703}
12704
12705void
12706sctp_send_operr_to(struct sockaddr *src, struct sockaddr *dst,
12707                   struct sctphdr *sh, uint32_t vtag, struct mbuf *cause,
12708#if defined(__FreeBSD__)
12709                   uint8_t use_mflowid, uint32_t mflowid,
12710#endif
12711                   uint32_t vrf_id, uint16_t port)
12712{
12713	sctp_send_resp_msg(src, dst, sh, vtag, SCTP_OPERATION_ERROR, cause,
12714#if defined(__FreeBSD__)
12715	                   use_mflowid, mflowid,
12716#endif
12717	                   vrf_id, port);
12718	return;
12719}
12720
12721static struct mbuf *
12722sctp_copy_resume(struct uio *uio,
12723		 int max_send_len,
12724#if defined(__FreeBSD__) && __FreeBSD_version > 602000
12725		 int user_marks_eor,
12726#endif
12727		 int *error,
12728		 uint32_t *sndout,
12729		 struct mbuf **new_tail)
12730{
12731#if defined(__Panda__)
12732	struct mbuf *m;
12733
12734	m = m_uiotombuf(uio, M_WAITOK, max_send_len, 0,
12735			(user_marks_eor ? M_EOR : 0));
12736	if (m == NULL) {
12737		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOBUFS);
12738		*error = ENOBUFS;
12739	} else {
12740		*sndout = m_length(m, NULL);
12741		*new_tail = m_last(m);
12742	}
12743	return (m);
12744#elif defined(__FreeBSD__) && __FreeBSD_version > 602000
12745	struct mbuf *m;
12746
12747	m = m_uiotombuf(uio, M_WAITOK, max_send_len, 0,
12748		(M_PKTHDR | (user_marks_eor ? M_EOR : 0)));
12749	if (m == NULL) {
12750		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOBUFS);
12751		*error = ENOBUFS;
12752	} else {
12753		*sndout = m_length(m, NULL);
12754		*new_tail = m_last(m);
12755	}
12756	return (m);
12757#else
12758	int left, cancpy, willcpy;
12759	struct mbuf *m, *head;
12760
12761#if defined(__APPLE__)
12762#if defined(APPLE_LEOPARD)
12763	left = min(uio->uio_resid, max_send_len);
12764#else
12765	left = min(uio_resid(uio), max_send_len);
12766#endif
12767#else
12768	left = min(uio->uio_resid, max_send_len);
12769#endif
12770	/* Always get a header just in case */
12771	head = sctp_get_mbuf_for_msg(left, 0, M_WAITOK, 0, MT_DATA);
12772	if (head == NULL) {
12773		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOBUFS);
12774		*error = ENOBUFS;
12775		return (NULL);
12776	}
12777	cancpy = M_TRAILINGSPACE(head);
12778	willcpy = min(cancpy, left);
12779	*error = uiomove(mtod(head, caddr_t), willcpy, uio);
12780	if (*error) {
12781		sctp_m_freem(head);
12782		return (NULL);
12783	}
12784	*sndout += willcpy;
12785	left -= willcpy;
12786	SCTP_BUF_LEN(head) = willcpy;
12787	m = head;
12788	*new_tail = head;
12789	while (left > 0) {
12790		/* move in user data */
12791		SCTP_BUF_NEXT(m) = sctp_get_mbuf_for_msg(left, 0, M_WAITOK, 0, MT_DATA);
12792		if (SCTP_BUF_NEXT(m) == NULL) {
12793			sctp_m_freem(head);
12794			*new_tail = NULL;
12795			SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOBUFS);
12796			*error = ENOBUFS;
12797			return (NULL);
12798		}
12799		m = SCTP_BUF_NEXT(m);
12800		cancpy = M_TRAILINGSPACE(m);
12801		willcpy = min(cancpy, left);
12802		*error = uiomove(mtod(m, caddr_t), willcpy, uio);
12803		if (*error) {
12804			sctp_m_freem(head);
12805			*new_tail = NULL;
12806			SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
12807			*error = EFAULT;
12808			return (NULL);
12809		}
12810		SCTP_BUF_LEN(m) = willcpy;
12811		left -= willcpy;
12812		*sndout += willcpy;
12813		*new_tail = m;
12814		if (left == 0) {
12815			SCTP_BUF_NEXT(m) = NULL;
12816		}
12817	}
12818	return (head);
12819#endif
12820}
12821
12822static int
12823sctp_copy_one(struct sctp_stream_queue_pending *sp,
12824              struct uio *uio,
12825              int resv_upfront)
12826{
12827	int left;
12828#if defined(__Panda__)
12829	left = sp->length;
12830	sp->data = m_uiotombuf(uio, M_WAITOK, sp->length,
12831	                       resv_upfront, 0);
12832	if (sp->data == NULL) {
12833		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOBUFS);
12834		return (ENOBUFS);
12835	}
12836
12837	sp->tail_mbuf = m_last(sp->data);
12838	return (0);
12839
12840#elif defined(__FreeBSD__) && __FreeBSD_version > 602000
12841	left = sp->length;
12842	sp->data = m_uiotombuf(uio, M_WAITOK, sp->length,
12843	                       resv_upfront, 0);
12844	if (sp->data == NULL) {
12845		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOBUFS);
12846		return (ENOBUFS);
12847	}
12848
12849	sp->tail_mbuf = m_last(sp->data);
12850	return (0);
12851#else
12852	int cancpy, willcpy, error;
12853	struct mbuf *m, *head;
12854	int cpsz = 0;
12855
12856	/* First one gets a header */
12857	left = sp->length;
12858	head = m = sctp_get_mbuf_for_msg((left + resv_upfront), 0, M_WAITOK, 0, MT_DATA);
12859	if (m == NULL) {
12860		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOBUFS);
12861		return (ENOBUFS);
12862	}
12863	/*-
12864	 * Add this one for m in now, that way if the alloc fails we won't
12865	 * have a bad cnt.
12866	 */
12867	SCTP_BUF_RESV_UF(m, resv_upfront);
12868	cancpy = M_TRAILINGSPACE(m);
12869	willcpy = min(cancpy, left);
12870	while (left > 0) {
12871		/* move in user data */
12872		error = uiomove(mtod(m, caddr_t), willcpy, uio);
12873		if (error) {
12874			sctp_m_freem(head);
12875			return (error);
12876		}
12877		SCTP_BUF_LEN(m) = willcpy;
12878		left -= willcpy;
12879		cpsz += willcpy;
12880		if (left > 0) {
12881			SCTP_BUF_NEXT(m) = sctp_get_mbuf_for_msg(left, 0, M_WAITOK, 0, MT_DATA);
12882			if (SCTP_BUF_NEXT(m) == NULL) {
12883				/*
12884				 * the head goes back to caller, he can free
12885				 * the rest
12886				 */
12887				sctp_m_freem(head);
12888				SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOBUFS);
12889				return (ENOBUFS);
12890			}
12891			m = SCTP_BUF_NEXT(m);
12892			cancpy = M_TRAILINGSPACE(m);
12893			willcpy = min(cancpy, left);
12894		} else {
12895			sp->tail_mbuf = m;
12896			SCTP_BUF_NEXT(m) = NULL;
12897		}
12898	}
12899	sp->data = head;
12900	sp->length = cpsz;
12901	return (0);
12902#endif
12903}
12904
12905
12906
12907static struct sctp_stream_queue_pending *
12908sctp_copy_it_in(struct sctp_tcb *stcb,
12909    struct sctp_association *asoc,
12910    struct sctp_sndrcvinfo *srcv,
12911    struct uio *uio,
12912    struct sctp_nets *net,
12913    int max_send_len,
12914    int user_marks_eor,
12915    int *error)
12916
12917{
12918	/*-
12919	 * This routine must be very careful in its work. Protocol
12920	 * processing is up and running so care must be taken to spl...()
12921	 * when you need to do something that may effect the stcb/asoc. The
12922	 * sb is locked however. When data is copied the protocol processing
12923	 * should be enabled since this is a slower operation...
12924	 */
12925	struct sctp_stream_queue_pending *sp = NULL;
12926	int resv_in_first;
12927
12928	*error = 0;
12929	/* Now can we send this? */
12930	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
12931	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
12932	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
12933	    (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
12934		/* got data while shutting down */
12935		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
12936		*error = ECONNRESET;
12937		goto out_now;
12938	}
12939	sctp_alloc_a_strmoq(stcb, sp);
12940	if (sp == NULL) {
12941		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12942		*error = ENOMEM;
12943		goto out_now;
12944	}
12945	sp->act_flags = 0;
12946	sp->sender_all_done = 0;
12947	sp->sinfo_flags = srcv->sinfo_flags;
12948	sp->timetolive = srcv->sinfo_timetolive;
12949	sp->ppid = srcv->sinfo_ppid;
12950	sp->context = srcv->sinfo_context;
12951	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
12952
12953	sp->stream = srcv->sinfo_stream;
12954#if defined(__APPLE__)
12955#if defined(APPLE_LEOPARD)
12956	sp->length = min(uio->uio_resid, max_send_len);
12957#else
12958	sp->length = min(uio_resid(uio), max_send_len);
12959#endif
12960#else
12961	sp->length = min(uio->uio_resid, max_send_len);
12962#endif
12963#if defined(__APPLE__)
12964#if defined(APPLE_LEOPARD)
12965	if ((sp->length == (uint32_t)uio->uio_resid) &&
12966#else
12967	if ((sp->length == (uint32_t)uio_resid(uio)) &&
12968#endif
12969#else
12970	if ((sp->length == (uint32_t)uio->uio_resid) &&
12971#endif
12972	    ((user_marks_eor == 0) ||
12973	     (srcv->sinfo_flags & SCTP_EOF) ||
12974	     (user_marks_eor && (srcv->sinfo_flags & SCTP_EOR)))) {
12975		sp->msg_is_complete = 1;
12976	} else {
12977		sp->msg_is_complete = 0;
12978	}
12979	sp->sender_all_done = 0;
12980	sp->some_taken = 0;
12981	sp->put_last_out = 0;
12982	resv_in_first = sizeof(struct sctp_data_chunk);
12983	sp->data = sp->tail_mbuf = NULL;
12984	if (sp->length == 0) {
12985		*error = 0;
12986		goto skip_copy;
12987	}
12988	if (srcv->sinfo_keynumber_valid) {
12989		sp->auth_keyid = srcv->sinfo_keynumber;
12990	} else {
12991		sp->auth_keyid = stcb->asoc.authinfo.active_keyid;
12992	}
12993	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks)) {
12994		sctp_auth_key_acquire(stcb, sp->auth_keyid);
12995		sp->holds_key_ref = 1;
12996	}
12997#if defined(__APPLE__)
12998	SCTP_SOCKET_UNLOCK(SCTP_INP_SO(stcb->sctp_ep), 0);
12999#endif
13000	*error = sctp_copy_one(sp, uio, resv_in_first);
13001#if defined(__APPLE__)
13002	SCTP_SOCKET_LOCK(SCTP_INP_SO(stcb->sctp_ep), 0);
13003#endif
13004 skip_copy:
13005	if (*error) {
13006		sctp_free_a_strmoq(stcb, sp, SCTP_SO_LOCKED);
13007		sp = NULL;
13008	} else {
13009		if (sp->sinfo_flags & SCTP_ADDR_OVER) {
13010			sp->net = net;
13011			atomic_add_int(&sp->net->ref_count, 1);
13012		} else {
13013			sp->net = NULL;
13014		}
13015		sctp_set_prsctp_policy(sp);
13016	}
13017out_now:
13018	return (sp);
13019}
13020
13021
13022int
13023sctp_sosend(struct socket *so,
13024            struct sockaddr *addr,
13025            struct uio *uio,
13026#ifdef __Panda__
13027            pakhandle_type top,
13028            pakhandle_type icontrol,
13029#else
13030            struct mbuf *top,
13031            struct mbuf *control,
13032#endif
13033#if defined(__APPLE__) || defined(__Panda__)
13034            int flags
13035#else
13036            int flags,
13037#if defined(__FreeBSD__) && __FreeBSD_version >= 500000
13038            struct thread *p
13039#elif defined(__Windows__)
13040            PKTHREAD p
13041#else
13042#if defined(__Userspace__)
13043            /*
13044	     * proc is a dummy in __Userspace__ and will not be passed
13045	     * to sctp_lower_sosend
13046	     */
13047#endif
13048            struct proc *p
13049#endif
13050#endif
13051)
13052{
13053#ifdef __Panda__
13054	struct mbuf *control = NULL;
13055#endif
13056#if defined(__APPLE__)
13057	struct proc *p = current_proc();
13058#endif
13059	int error, use_sndinfo = 0;
13060	struct sctp_sndrcvinfo sndrcvninfo;
13061	struct sockaddr *addr_to_use;
13062#if defined(INET) && defined(INET6)
13063	struct sockaddr_in sin;
13064#endif
13065
13066#if defined(__APPLE__)
13067	SCTP_SOCKET_LOCK(so, 1);
13068#endif
13069#ifdef __Panda__
13070	control = SCTP_HEADER_TO_CHAIN(icontrol);
13071#endif
13072	if (control) {
13073		/* process cmsg snd/rcv info (maybe a assoc-id) */
13074		if (sctp_find_cmsg(SCTP_SNDRCV, (void *)&sndrcvninfo, control,
13075		    sizeof(sndrcvninfo))) {
13076			/* got one */
13077			use_sndinfo = 1;
13078		}
13079	}
13080	addr_to_use = addr;
13081#if defined(INET) && defined(INET6)
13082	if ((addr) && (addr->sa_family == AF_INET6)) {
13083		struct sockaddr_in6 *sin6;
13084
13085		sin6 = (struct sockaddr_in6 *)addr;
13086		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
13087			in6_sin6_2_sin(&sin, sin6);
13088			addr_to_use = (struct sockaddr *)&sin;
13089		}
13090	}
13091#endif
13092	error = sctp_lower_sosend(so, addr_to_use, uio, top,
13093#ifdef __Panda__
13094				  icontrol,
13095#else
13096				  control,
13097#endif
13098				  flags,
13099				  use_sndinfo ? &sndrcvninfo: NULL
13100#if !(defined(__Panda__) || defined(__Userspace__))
13101				  , p
13102#endif
13103		);
13104#if defined(__APPLE__)
13105	SCTP_SOCKET_UNLOCK(so, 1);
13106#endif
13107	return (error);
13108}
13109
13110
13111int
13112sctp_lower_sosend(struct socket *so,
13113                  struct sockaddr *addr,
13114                  struct uio *uio,
13115#ifdef __Panda__
13116                  pakhandle_type i_pak,
13117                  pakhandle_type i_control,
13118#else
13119                  struct mbuf *i_pak,
13120                  struct mbuf *control,
13121#endif
13122                  int flags,
13123                  struct sctp_sndrcvinfo *srcv
13124#if !(defined( __Panda__) || defined(__Userspace__))
13125                  ,
13126#if defined(__FreeBSD__) && __FreeBSD_version >= 500000
13127                  struct thread *p
13128#elif defined(__Windows__)
13129                  PKTHREAD p
13130#else
13131                  struct proc *p
13132#endif
13133#endif
13134	)
13135{
13136	unsigned int sndlen = 0, max_len;
13137	int error, len;
13138	struct mbuf *top = NULL;
13139#ifdef __Panda__
13140	struct mbuf *control = NULL;
13141#endif
13142	int queue_only = 0, queue_only_for_init = 0;
13143	int free_cnt_applied = 0;
13144	int un_sent;
13145	int now_filled = 0;
13146	unsigned int inqueue_bytes = 0;
13147	struct sctp_block_entry be;
13148	struct sctp_inpcb *inp;
13149	struct sctp_tcb *stcb = NULL;
13150	struct timeval now;
13151	struct sctp_nets *net;
13152	struct sctp_association *asoc;
13153	struct sctp_inpcb *t_inp;
13154	int user_marks_eor;
13155	int create_lock_applied = 0;
13156	int nagle_applies = 0;
13157	int some_on_control = 0;
13158	int got_all_of_the_send = 0;
13159	int hold_tcblock = 0;
13160	int non_blocking = 0;
13161	uint32_t local_add_more, local_soresv = 0;
13162	uint16_t port;
13163	uint16_t sinfo_flags;
13164	sctp_assoc_t sinfo_assoc_id;
13165
13166	error = 0;
13167	net = NULL;
13168	stcb = NULL;
13169	asoc = NULL;
13170
13171#if defined(__APPLE__)
13172	sctp_lock_assert(so);
13173#endif
13174	t_inp = inp = (struct sctp_inpcb *)so->so_pcb;
13175	if (inp == NULL) {
13176		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13177		error = EINVAL;
13178		if (i_pak) {
13179			SCTP_RELEASE_PKT(i_pak);
13180		}
13181		return (error);
13182	}
13183	if ((uio == NULL) && (i_pak == NULL)) {
13184		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13185		return (EINVAL);
13186	}
13187	user_marks_eor = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR);
13188	atomic_add_int(&inp->total_sends, 1);
13189	if (uio) {
13190#if defined(__APPLE__)
13191#if defined(APPLE_LEOPARD)
13192		if (uio->uio_resid < 0) {
13193#else
13194		if (uio_resid(uio) < 0) {
13195#endif
13196#else
13197		if (uio->uio_resid < 0) {
13198#endif
13199			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13200			return (EINVAL);
13201		}
13202#if defined(__APPLE__)
13203#if defined(APPLE_LEOPARD)
13204		sndlen = uio->uio_resid;
13205#else
13206		sndlen = uio_resid(uio);
13207#endif
13208#else
13209		sndlen = uio->uio_resid;
13210#endif
13211	} else {
13212		top = SCTP_HEADER_TO_CHAIN(i_pak);
13213#ifdef __Panda__
13214		/*-
13215		 * app len indicates the datalen, dgsize for cases
13216		 * of SCTP_EOF/ABORT will not have the right len
13217		 */
13218		sndlen = SCTP_APP_DATA_LEN(i_pak);
13219		/*-
13220		 * Set the particle len also to zero to match
13221		 * up with app len. We only have one particle
13222		 * if app len is zero for Panda. This is ensured
13223		 * in the socket lib
13224		 */
13225		if (sndlen == 0) {
13226			SCTP_BUF_LEN(top)  = 0;
13227		}
13228		/*-
13229		 * We delink the chain from header, but keep
13230		 * the header around as we will need it in
13231		 * EAGAIN case
13232		 */
13233		SCTP_DETACH_HEADER_FROM_CHAIN(i_pak);
13234#else
13235		sndlen = SCTP_HEADER_LEN(i_pak);
13236#endif
13237	}
13238	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %d\n",
13239		(void *)addr,
13240	        sndlen);
13241#ifdef __Panda__
13242	if (i_control) {
13243		control = SCTP_HEADER_TO_CHAIN(i_control);
13244	}
13245#endif
13246	if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
13247	    (inp->sctp_socket->so_qlimit)) {
13248		/* The listener can NOT send */
13249		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOTCONN);
13250		error = ENOTCONN;
13251		goto out_unlocked;
13252	}
13253	/**
13254	 * Pre-screen address, if one is given the sin-len
13255	 * must be set correctly!
13256	 */
13257	if (addr) {
13258		union sctp_sockstore *raddr = (union sctp_sockstore *)addr;
13259		switch (raddr->sa.sa_family) {
13260#ifdef INET
13261		case AF_INET:
13262#ifdef HAVE_SIN_LEN
13263			if (raddr->sin.sin_len != sizeof(struct sockaddr_in)) {
13264				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13265				error = EINVAL;
13266				goto out_unlocked;
13267			}
13268#endif
13269			port = raddr->sin.sin_port;
13270			break;
13271#endif
13272#ifdef INET6
13273		case AF_INET6:
13274#ifdef HAVE_SIN6_LEN
13275			if (raddr->sin6.sin6_len != sizeof(struct sockaddr_in6)) {
13276				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13277				error = EINVAL;
13278				goto out_unlocked;
13279			}
13280#endif
13281			port = raddr->sin6.sin6_port;
13282			break;
13283#endif
13284#if defined(__Userspace__)
13285		case AF_CONN:
13286#ifdef HAVE_SCONN_LEN
13287			if (raddr->sconn.sconn_len != sizeof(struct sockaddr_conn)) {
13288				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13289				error = EINVAL;
13290				goto out_unlocked;
13291			}
13292#endif
13293			port = raddr->sconn.sconn_port;
13294			break;
13295#endif
13296		default:
13297			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EAFNOSUPPORT);
13298			error = EAFNOSUPPORT;
13299			goto out_unlocked;
13300		}
13301	} else
13302		port = 0;
13303
13304	if (srcv) {
13305		sinfo_flags = srcv->sinfo_flags;
13306		sinfo_assoc_id = srcv->sinfo_assoc_id;
13307		if (INVALID_SINFO_FLAG(sinfo_flags) ||
13308		    PR_SCTP_INVALID_POLICY(sinfo_flags)) {
13309			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13310			error = EINVAL;
13311			goto out_unlocked;
13312		}
13313		if (srcv->sinfo_flags)
13314			SCTP_STAT_INCR(sctps_sends_with_flags);
13315	} else {
13316		sinfo_flags = inp->def_send.sinfo_flags;
13317		sinfo_assoc_id = inp->def_send.sinfo_assoc_id;
13318	}
13319	if (sinfo_flags & SCTP_SENDALL) {
13320		/* its a sendall */
13321		error = sctp_sendall(inp, uio, top, srcv);
13322		top = NULL;
13323		goto out_unlocked;
13324	}
13325	if ((sinfo_flags & SCTP_ADDR_OVER) && (addr == NULL)) {
13326		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13327		error = EINVAL;
13328		goto out_unlocked;
13329	}
13330	/* now we must find the assoc */
13331	if ((inp->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) ||
13332	    (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
13333		SCTP_INP_RLOCK(inp);
13334		stcb = LIST_FIRST(&inp->sctp_asoc_list);
13335		if (stcb) {
13336			SCTP_TCB_LOCK(stcb);
13337			hold_tcblock = 1;
13338		}
13339		SCTP_INP_RUNLOCK(inp);
13340	} else if (sinfo_assoc_id) {
13341		stcb = sctp_findassociation_ep_asocid(inp, sinfo_assoc_id, 0);
13342	} else if (addr) {
13343		/*-
13344		 * Since we did not use findep we must
13345		 * increment it, and if we don't find a tcb
13346		 * decrement it.
13347		 */
13348		SCTP_INP_WLOCK(inp);
13349		SCTP_INP_INCR_REF(inp);
13350		SCTP_INP_WUNLOCK(inp);
13351		stcb = sctp_findassociation_ep_addr(&t_inp, addr, &net, NULL, NULL);
13352		if (stcb == NULL) {
13353			SCTP_INP_WLOCK(inp);
13354			SCTP_INP_DECR_REF(inp);
13355			SCTP_INP_WUNLOCK(inp);
13356		} else {
13357			hold_tcblock = 1;
13358		}
13359	}
13360	if ((stcb == NULL) && (addr)) {
13361		/* Possible implicit send? */
13362		SCTP_ASOC_CREATE_LOCK(inp);
13363		create_lock_applied = 1;
13364		if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
13365		    (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
13366			/* Should I really unlock ? */
13367			SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13368			error = EINVAL;
13369			goto out_unlocked;
13370
13371		}
13372		if (((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) == 0) &&
13373		    (addr->sa_family == AF_INET6)) {
13374			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13375			error = EINVAL;
13376			goto out_unlocked;
13377		}
13378		SCTP_INP_WLOCK(inp);
13379		SCTP_INP_INCR_REF(inp);
13380		SCTP_INP_WUNLOCK(inp);
13381		/* With the lock applied look again */
13382		stcb = sctp_findassociation_ep_addr(&t_inp, addr, &net, NULL, NULL);
13383		if ((stcb == NULL) && (control != NULL) && (port > 0)) {
13384			stcb = sctp_findassociation_cmsgs(&t_inp, port, control, &net, &error);
13385		}
13386		if (stcb == NULL) {
13387			SCTP_INP_WLOCK(inp);
13388			SCTP_INP_DECR_REF(inp);
13389			SCTP_INP_WUNLOCK(inp);
13390		} else {
13391			hold_tcblock = 1;
13392		}
13393		if (error) {
13394			goto out_unlocked;
13395		}
13396		if (t_inp != inp) {
13397			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOTCONN);
13398			error = ENOTCONN;
13399			goto out_unlocked;
13400		}
13401	}
13402	if (stcb == NULL) {
13403		if (addr == NULL) {
13404			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOENT);
13405			error = ENOENT;
13406			goto out_unlocked;
13407		} else {
13408			/* We must go ahead and start the INIT process */
13409			uint32_t vrf_id;
13410
13411			if ((sinfo_flags & SCTP_ABORT) ||
13412			    ((sinfo_flags & SCTP_EOF) && (sndlen == 0))) {
13413				/*-
13414				 * User asks to abort a non-existant assoc,
13415				 * or EOF a non-existant assoc with no data
13416				 */
13417				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOENT);
13418				error = ENOENT;
13419				goto out_unlocked;
13420			}
13421			/* get an asoc/stcb struct */
13422			vrf_id = inp->def_vrf_id;
13423#ifdef INVARIANTS
13424			if (create_lock_applied == 0) {
13425				panic("Error, should hold create lock and I don't?");
13426			}
13427#endif
13428			stcb = sctp_aloc_assoc(inp, addr, &error, 0, vrf_id,
13429#if !(defined( __Panda__) || defined(__Userspace__))
13430					       p
13431#else
13432					       (struct proc *)NULL
13433#endif
13434				);
13435			if (stcb == NULL) {
13436				/* Error is setup for us in the call */
13437				goto out_unlocked;
13438			}
13439			if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
13440				stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
13441				/* Set the connected flag so we can queue data */
13442				soisconnecting(so);
13443			}
13444			hold_tcblock = 1;
13445			if (create_lock_applied) {
13446				SCTP_ASOC_CREATE_UNLOCK(inp);
13447				create_lock_applied = 0;
13448			} else {
13449				SCTP_PRINTF("Huh-3? create lock should have been on??\n");
13450			}
13451			/* Turn on queue only flag to prevent data from being sent */
13452			queue_only = 1;
13453			asoc = &stcb->asoc;
13454			SCTP_SET_STATE(asoc, SCTP_STATE_COOKIE_WAIT);
13455			(void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
13456
13457			/* initialize authentication params for the assoc */
13458			sctp_initialize_auth_params(inp, stcb);
13459
13460			if (control) {
13461				if (sctp_process_cmsgs_for_init(stcb, control, &error)) {
13462					sctp_free_assoc(inp, stcb, SCTP_PCBFREE_FORCE, SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_7);
13463					hold_tcblock = 0;
13464					stcb = NULL;
13465					goto out_unlocked;
13466				}
13467			}
13468			/* out with the INIT */
13469			queue_only_for_init = 1;
13470			/*-
13471			 * we may want to dig in after this call and adjust the MTU
13472			 * value. It defaulted to 1500 (constant) but the ro
13473			 * structure may now have an update and thus we may need to
13474			 * change it BEFORE we append the message.
13475			 */
13476		}
13477	} else
13478		asoc = &stcb->asoc;
13479	if (srcv == NULL)
13480		srcv = (struct sctp_sndrcvinfo *)&asoc->def_send;
13481	if (srcv->sinfo_flags & SCTP_ADDR_OVER) {
13482		if (addr)
13483			net = sctp_findnet(stcb, addr);
13484		else
13485			net = NULL;
13486		if ((net == NULL) ||
13487		    ((port != 0) && (port != stcb->rport))) {
13488			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13489			error = EINVAL;
13490			goto out_unlocked;
13491		}
13492	} else {
13493		if (stcb->asoc.alternate) {
13494			net = stcb->asoc.alternate;
13495		} else {
13496			net = stcb->asoc.primary_destination;
13497		}
13498	}
13499	atomic_add_int(&stcb->total_sends, 1);
13500	/* Keep the stcb from being freed under our feet */
13501	atomic_add_int(&asoc->refcnt, 1);
13502	free_cnt_applied = 1;
13503
13504	if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NO_FRAGMENT)) {
13505		if (sndlen > asoc->smallest_mtu) {
13506			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
13507			error = EMSGSIZE;
13508			goto out_unlocked;
13509		}
13510	}
13511#if defined(__Userspace__)
13512	if (inp->recv_callback) {
13513		non_blocking = 1;
13514	}
13515#else
13516	if (SCTP_SO_IS_NBIO(so)
13517#if defined(__FreeBSD__) && __FreeBSD_version >= 500000
13518	     || (flags & MSG_NBIO)
13519#endif
13520	    ) {
13521		non_blocking = 1;
13522	}
13523#endif
13524	/* would we block? */
13525	if (non_blocking) {
13526		if (hold_tcblock == 0) {
13527			SCTP_TCB_LOCK(stcb);
13528			hold_tcblock = 1;
13529		}
13530		inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
13531		if ((SCTP_SB_LIMIT_SND(so) <  (sndlen + inqueue_bytes + stcb->asoc.sb_send_resv)) ||
13532		    (stcb->asoc.chunks_on_out_queue >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
13533			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EWOULDBLOCK);
13534			if (sndlen > SCTP_SB_LIMIT_SND(so))
13535				error = EMSGSIZE;
13536			else
13537				error = EWOULDBLOCK;
13538			goto out_unlocked;
13539		}
13540		stcb->asoc.sb_send_resv += sndlen;
13541		SCTP_TCB_UNLOCK(stcb);
13542		hold_tcblock = 0;
13543	} else {
13544		atomic_add_int(&stcb->asoc.sb_send_resv, sndlen);
13545	}
13546	local_soresv = sndlen;
13547	if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
13548		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
13549		error = ECONNRESET;
13550		goto out_unlocked;
13551	}
13552	if (create_lock_applied) {
13553		SCTP_ASOC_CREATE_UNLOCK(inp);
13554		create_lock_applied = 0;
13555	}
13556	if (asoc->stream_reset_outstanding) {
13557		/*
13558		 * Can't queue any data while stream reset is underway.
13559		 */
13560		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EAGAIN);
13561		error = EAGAIN;
13562		goto out_unlocked;
13563	}
13564	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
13565	    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
13566		queue_only = 1;
13567	}
13568	/* we are now done with all control */
13569	if (control) {
13570		sctp_m_freem(control);
13571		control = NULL;
13572	}
13573	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
13574	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
13575	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
13576	    (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
13577		if (srcv->sinfo_flags & SCTP_ABORT) {
13578			;
13579		} else {
13580			SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
13581			error = ECONNRESET;
13582			goto out_unlocked;
13583		}
13584	}
13585	/* Ok, we will attempt a msgsnd :> */
13586#if !(defined(__Panda__) || defined(__Windows__) || defined(__Userspace__))
13587	if (p) {
13588#if defined(__FreeBSD__) && __FreeBSD_version >= 603000
13589		p->td_ru.ru_msgsnd++;
13590#elif defined(__FreeBSD__) && __FreeBSD_version >= 500000
13591		p->td_proc->p_stats->p_ru.ru_msgsnd++;
13592#else
13593		p->p_stats->p_ru.ru_msgsnd++;
13594#endif
13595	}
13596#endif
13597	/* Are we aborting? */
13598	if (srcv->sinfo_flags & SCTP_ABORT) {
13599		struct mbuf *mm;
13600		int tot_demand, tot_out = 0, max_out;
13601
13602		SCTP_STAT_INCR(sctps_sends_with_abort);
13603		if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
13604		    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
13605			/* It has to be up before we abort */
13606			/* how big is the user initiated abort? */
13607			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13608			error = EINVAL;
13609			goto out;
13610		}
13611		if (hold_tcblock) {
13612			SCTP_TCB_UNLOCK(stcb);
13613			hold_tcblock = 0;
13614		}
13615		if (top) {
13616			struct mbuf *cntm = NULL;
13617
13618			mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 0, M_WAITOK, 1, MT_DATA);
13619			if (sndlen != 0) {
13620				for (cntm = top; cntm; cntm = SCTP_BUF_NEXT(cntm)) {
13621					tot_out += SCTP_BUF_LEN(cntm);
13622				}
13623			}
13624		} else {
13625			/* Must fit in a MTU */
13626			tot_out = sndlen;
13627			tot_demand = (tot_out + sizeof(struct sctp_paramhdr));
13628			if (tot_demand > SCTP_DEFAULT_ADD_MORE) {
13629				/* To big */
13630				SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
13631				error = EMSGSIZE;
13632				goto out;
13633			}
13634			mm = sctp_get_mbuf_for_msg(tot_demand, 0, M_WAITOK, 1, MT_DATA);
13635		}
13636		if (mm == NULL) {
13637			SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
13638			error = ENOMEM;
13639			goto out;
13640		}
13641		max_out = asoc->smallest_mtu - sizeof(struct sctp_paramhdr);
13642		max_out -= sizeof(struct sctp_abort_msg);
13643		if (tot_out > max_out) {
13644			tot_out = max_out;
13645		}
13646		if (mm) {
13647			struct sctp_paramhdr *ph;
13648
13649			/* now move forward the data pointer */
13650			ph = mtod(mm, struct sctp_paramhdr *);
13651			ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
13652			ph->param_length = htons(sizeof(struct sctp_paramhdr) + tot_out);
13653			ph++;
13654			SCTP_BUF_LEN(mm) = tot_out + sizeof(struct sctp_paramhdr);
13655			if (top == NULL) {
13656#if defined(__APPLE__)
13657				SCTP_SOCKET_UNLOCK(so, 0);
13658#endif
13659				error = uiomove((caddr_t)ph, (int)tot_out, uio);
13660#if defined(__APPLE__)
13661				SCTP_SOCKET_LOCK(so, 0);
13662#endif
13663				if (error) {
13664					/*-
13665					 * Here if we can't get his data we
13666					 * still abort we just don't get to
13667					 * send the users note :-0
13668					 */
13669					sctp_m_freem(mm);
13670					mm = NULL;
13671				}
13672			} else {
13673				if (sndlen != 0) {
13674					SCTP_BUF_NEXT(mm) = top;
13675				}
13676			}
13677		}
13678		if (hold_tcblock == 0) {
13679			SCTP_TCB_LOCK(stcb);
13680		}
13681		atomic_add_int(&stcb->asoc.refcnt, -1);
13682		free_cnt_applied = 0;
13683		/* release this lock, otherwise we hang on ourselves */
13684		sctp_abort_an_association(stcb->sctp_ep, stcb, mm, SCTP_SO_LOCKED);
13685		/* now relock the stcb so everything is sane */
13686		hold_tcblock = 0;
13687		stcb = NULL;
13688		/* In this case top is already chained to mm
13689		 * avoid double free, since we free it below if
13690		 * top != NULL and driver would free it after sending
13691		 * the packet out
13692		 */
13693		if (sndlen != 0) {
13694			top = NULL;
13695		}
13696		goto out_unlocked;
13697	}
13698	/* Calculate the maximum we can send */
13699	inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
13700	if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
13701		if (non_blocking) {
13702			/* we already checked for non-blocking above. */
13703			max_len = sndlen;
13704		} else {
13705			max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
13706		}
13707	} else {
13708		max_len = 0;
13709	}
13710	if (hold_tcblock) {
13711		SCTP_TCB_UNLOCK(stcb);
13712		hold_tcblock = 0;
13713	}
13714	/* Is the stream no. valid? */
13715	if (srcv->sinfo_stream >= asoc->streamoutcnt) {
13716		/* Invalid stream number */
13717		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13718		error = EINVAL;
13719		goto out_unlocked;
13720	}
13721	if (asoc->strmout == NULL) {
13722		/* huh? software error */
13723		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
13724		error = EFAULT;
13725		goto out_unlocked;
13726	}
13727
13728	/* Unless E_EOR mode is on, we must make a send FIT in one call. */
13729	if ((user_marks_eor == 0) &&
13730	    (sndlen > SCTP_SB_LIMIT_SND(stcb->sctp_socket))) {
13731		/* It will NEVER fit */
13732		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
13733		error = EMSGSIZE;
13734		goto out_unlocked;
13735	}
13736	if ((uio == NULL) && user_marks_eor) {
13737		/*-
13738		 * We do not support eeor mode for
13739		 * sending with mbuf chains (like sendfile).
13740		 */
13741		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13742		error = EINVAL;
13743		goto out_unlocked;
13744	}
13745
13746	if (user_marks_eor) {
13747		local_add_more = min(SCTP_SB_LIMIT_SND(so), SCTP_BASE_SYSCTL(sctp_add_more_threshold));
13748	} else {
13749		/*-
13750		 * For non-eeor the whole message must fit in
13751		 * the socket send buffer.
13752		 */
13753		local_add_more = sndlen;
13754	}
13755	len = 0;
13756	if (non_blocking) {
13757		goto skip_preblock;
13758	}
13759	if (((max_len <= local_add_more) &&
13760	     (SCTP_SB_LIMIT_SND(so) >= local_add_more)) ||
13761	    (max_len == 0) ||
13762	    ((stcb->asoc.chunks_on_out_queue+stcb->asoc.stream_queue_cnt) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
13763		/* No room right now ! */
13764		SOCKBUF_LOCK(&so->so_snd);
13765		inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
13766		while ((SCTP_SB_LIMIT_SND(so) < (inqueue_bytes + local_add_more)) ||
13767		       ((stcb->asoc.stream_queue_cnt+stcb->asoc.chunks_on_out_queue) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
13768			SCTPDBG(SCTP_DEBUG_OUTPUT1,"pre_block limit:%u <(inq:%d + %d) || (%d+%d > %d)\n",
13769			        (unsigned int)SCTP_SB_LIMIT_SND(so),
13770			        inqueue_bytes,
13771			        local_add_more,
13772			        stcb->asoc.stream_queue_cnt,
13773			        stcb->asoc.chunks_on_out_queue,
13774			        SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue));
13775			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13776				sctp_log_block(SCTP_BLOCK_LOG_INTO_BLKA, asoc, sndlen);
13777			}
13778			be.error = 0;
13779#if !defined(__Panda__) && !defined(__Windows__)
13780			stcb->block_entry = &be;
13781#endif
13782			error = sbwait(&so->so_snd);
13783			stcb->block_entry = NULL;
13784			if (error || so->so_error || be.error) {
13785				if (error == 0) {
13786					if (so->so_error)
13787						error = so->so_error;
13788					if (be.error) {
13789						error = be.error;
13790					}
13791				}
13792				SOCKBUF_UNLOCK(&so->so_snd);
13793				goto out_unlocked;
13794			}
13795			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13796				sctp_log_block(SCTP_BLOCK_LOG_OUTOF_BLK,
13797				               asoc, stcb->asoc.total_output_queue_size);
13798			}
13799			if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
13800				goto out_unlocked;
13801			}
13802			inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
13803		}
13804		if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
13805			max_len = SCTP_SB_LIMIT_SND(so) -  inqueue_bytes;
13806		} else {
13807			max_len = 0;
13808		}
13809		SOCKBUF_UNLOCK(&so->so_snd);
13810	}
13811
13812skip_preblock:
13813	if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
13814		goto out_unlocked;
13815	}
13816#if defined(__APPLE__)
13817	error = sblock(&so->so_snd, SBLOCKWAIT(flags));
13818#endif
13819	/* sndlen covers for mbuf case
13820	 * uio_resid covers for the non-mbuf case
13821	 * NOTE: uio will be null when top/mbuf is passed
13822	 */
13823	if (sndlen == 0) {
13824		if (srcv->sinfo_flags & SCTP_EOF) {
13825			got_all_of_the_send = 1;
13826			goto dataless_eof;
13827		} else {
13828			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13829			error = EINVAL;
13830			goto out;
13831		}
13832	}
13833	if (top == NULL) {
13834		struct sctp_stream_queue_pending *sp;
13835		struct sctp_stream_out *strm;
13836		uint32_t sndout;
13837
13838		SCTP_TCB_SEND_LOCK(stcb);
13839		if ((asoc->stream_locked) &&
13840		    (asoc->stream_locked_on  != srcv->sinfo_stream)) {
13841			SCTP_TCB_SEND_UNLOCK(stcb);
13842			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13843			error = EINVAL;
13844			goto out;
13845		}
13846		SCTP_TCB_SEND_UNLOCK(stcb);
13847
13848		strm = &stcb->asoc.strmout[srcv->sinfo_stream];
13849		if (strm->last_msg_incomplete == 0) {
13850		do_a_copy_in:
13851			sp = sctp_copy_it_in(stcb, asoc, srcv, uio, net, max_len, user_marks_eor, &error);
13852			if ((sp == NULL) || (error)) {
13853				goto out;
13854			}
13855			SCTP_TCB_SEND_LOCK(stcb);
13856			if (sp->msg_is_complete) {
13857				strm->last_msg_incomplete = 0;
13858				asoc->stream_locked = 0;
13859			} else {
13860				/* Just got locked to this guy in
13861				 * case of an interrupt.
13862				 */
13863				strm->last_msg_incomplete = 1;
13864				asoc->stream_locked = 1;
13865				asoc->stream_locked_on  = srcv->sinfo_stream;
13866				sp->sender_all_done = 0;
13867			}
13868			sctp_snd_sb_alloc(stcb, sp->length);
13869			atomic_add_int(&asoc->stream_queue_cnt, 1);
13870			if (srcv->sinfo_flags & SCTP_UNORDERED) {
13871				SCTP_STAT_INCR(sctps_sends_with_unord);
13872			}
13873			TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
13874			stcb->asoc.ss_functions.sctp_ss_add_to_stream(stcb, asoc, strm, sp, 1);
13875			SCTP_TCB_SEND_UNLOCK(stcb);
13876		} else {
13877			SCTP_TCB_SEND_LOCK(stcb);
13878			sp = TAILQ_LAST(&strm->outqueue, sctp_streamhead);
13879			SCTP_TCB_SEND_UNLOCK(stcb);
13880			if (sp == NULL) {
13881				/* ???? Huh ??? last msg is gone */
13882#ifdef INVARIANTS
13883				panic("Warning: Last msg marked incomplete, yet nothing left?");
13884#else
13885				SCTP_PRINTF("Warning: Last msg marked incomplete, yet nothing left?\n");
13886				strm->last_msg_incomplete = 0;
13887#endif
13888				goto do_a_copy_in;
13889
13890			}
13891		}
13892#if defined(__APPLE__)
13893#if defined(APPLE_LEOPARD)
13894		while (uio->uio_resid > 0) {
13895#else
13896		while (uio_resid(uio) > 0) {
13897#endif
13898#else
13899		while (uio->uio_resid > 0) {
13900#endif
13901			/* How much room do we have? */
13902			struct mbuf *new_tail, *mm;
13903
13904			if (SCTP_SB_LIMIT_SND(so) > stcb->asoc.total_output_queue_size)
13905				max_len = SCTP_SB_LIMIT_SND(so) - stcb->asoc.total_output_queue_size;
13906			else
13907				max_len = 0;
13908
13909			if ((max_len > SCTP_BASE_SYSCTL(sctp_add_more_threshold)) ||
13910			    (max_len && (SCTP_SB_LIMIT_SND(so) < SCTP_BASE_SYSCTL(sctp_add_more_threshold))) ||
13911#if defined(__APPLE__)
13912#if defined(APPLE_LEOPARD)
13913			    (uio->uio_resid && (uio->uio_resid <= (int)max_len))) {
13914#else
13915			    (uio_resid(uio) && (uio_resid(uio) <= (int)max_len))) {
13916#endif
13917#else
13918			    (uio->uio_resid && (uio->uio_resid <= (int)max_len))) {
13919#endif
13920				sndout = 0;
13921				new_tail = NULL;
13922				if (hold_tcblock) {
13923					SCTP_TCB_UNLOCK(stcb);
13924					hold_tcblock = 0;
13925				}
13926#if defined(__APPLE__)
13927				SCTP_SOCKET_UNLOCK(so, 0);
13928#endif
13929#if defined(__FreeBSD__) && __FreeBSD_version > 602000
13930				    mm = sctp_copy_resume(uio, max_len, user_marks_eor, &error, &sndout, &new_tail);
13931#else
13932				    mm = sctp_copy_resume(uio, max_len, &error, &sndout, &new_tail);
13933#endif
13934#if defined(__APPLE__)
13935				SCTP_SOCKET_LOCK(so, 0);
13936#endif
13937				if ((mm == NULL) || error) {
13938					if (mm) {
13939						sctp_m_freem(mm);
13940					}
13941					goto out;
13942				}
13943				/* Update the mbuf and count */
13944				SCTP_TCB_SEND_LOCK(stcb);
13945				if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
13946					/* we need to get out.
13947					 * Peer probably aborted.
13948					 */
13949					sctp_m_freem(mm);
13950					if (stcb->asoc.state & SCTP_PCB_FLAGS_WAS_ABORTED) {
13951						SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
13952						error = ECONNRESET;
13953					}
13954					SCTP_TCB_SEND_UNLOCK(stcb);
13955					goto out;
13956				}
13957				if (sp->tail_mbuf) {
13958					/* tack it to the end */
13959					SCTP_BUF_NEXT(sp->tail_mbuf) = mm;
13960					sp->tail_mbuf = new_tail;
13961				} else {
13962					/* A stolen mbuf */
13963					sp->data = mm;
13964					sp->tail_mbuf = new_tail;
13965				}
13966				sctp_snd_sb_alloc(stcb, sndout);
13967				atomic_add_int(&sp->length,sndout);
13968				len += sndout;
13969
13970				/* Did we reach EOR? */
13971#if defined(__APPLE__)
13972#if defined(APPLE_LEOPARD)
13973				if ((uio->uio_resid == 0) &&
13974#else
13975				if ((uio_resid(uio) == 0) &&
13976#endif
13977#else
13978				if ((uio->uio_resid == 0) &&
13979#endif
13980				    ((user_marks_eor == 0) ||
13981				     (srcv->sinfo_flags & SCTP_EOF) ||
13982				     (user_marks_eor && (srcv->sinfo_flags & SCTP_EOR)))) {
13983					sp->msg_is_complete = 1;
13984				} else {
13985					sp->msg_is_complete = 0;
13986				}
13987				SCTP_TCB_SEND_UNLOCK(stcb);
13988			}
13989#if defined(__APPLE__)
13990#if defined(APPLE_LEOPARD)
13991			if (uio->uio_resid == 0) {
13992#else
13993			if (uio_resid(uio) == 0) {
13994#endif
13995#else
13996			if (uio->uio_resid == 0) {
13997#endif
13998				/* got it all? */
13999				continue;
14000			}
14001			/* PR-SCTP? */
14002			if ((asoc->prsctp_supported) && (asoc->sent_queue_cnt_removeable > 0)) {
14003				/* This is ugly but we must assure locking order */
14004				if (hold_tcblock == 0) {
14005					SCTP_TCB_LOCK(stcb);
14006					hold_tcblock = 1;
14007				}
14008				sctp_prune_prsctp(stcb, asoc, srcv, sndlen);
14009				inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
14010				if (SCTP_SB_LIMIT_SND(so) > stcb->asoc.total_output_queue_size)
14011					max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
14012				else
14013					max_len = 0;
14014				if (max_len > 0) {
14015					continue;
14016				}
14017				SCTP_TCB_UNLOCK(stcb);
14018				hold_tcblock = 0;
14019			}
14020			/* wait for space now */
14021			if (non_blocking) {
14022				/* Non-blocking io in place out */
14023				goto skip_out_eof;
14024			}
14025			/* What about the INIT, send it maybe */
14026			if (queue_only_for_init) {
14027				if (hold_tcblock == 0) {
14028					SCTP_TCB_LOCK(stcb);
14029					hold_tcblock = 1;
14030				}
14031				if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) {
14032					/* a collision took us forward? */
14033					queue_only = 0;
14034				} else {
14035					sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
14036					SCTP_SET_STATE(asoc, SCTP_STATE_COOKIE_WAIT);
14037					queue_only = 1;
14038				}
14039			}
14040			if ((net->flight_size > net->cwnd) &&
14041			    (asoc->sctp_cmt_on_off == 0)) {
14042				SCTP_STAT_INCR(sctps_send_cwnd_avoid);
14043				queue_only = 1;
14044			} else if (asoc->ifp_had_enobuf) {
14045				SCTP_STAT_INCR(sctps_ifnomemqueued);
14046				if (net->flight_size > (2 * net->mtu)) {
14047					queue_only = 1;
14048				}
14049				asoc->ifp_had_enobuf = 0;
14050			}
14051			un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
14052			           (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
14053			if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
14054			    (stcb->asoc.total_flight > 0) &&
14055			    (stcb->asoc.stream_queue_cnt < SCTP_MAX_DATA_BUNDLING) &&
14056			    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
14057
14058				/*-
14059				 * Ok, Nagle is set on and we have data outstanding.
14060				 * Don't send anything and let SACKs drive out the
14061				 * data unless wen have a "full" segment to send.
14062				 */
14063				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
14064					sctp_log_nagle_event(stcb, SCTP_NAGLE_APPLIED);
14065				}
14066				SCTP_STAT_INCR(sctps_naglequeued);
14067				nagle_applies = 1;
14068			} else {
14069				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
14070					if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY))
14071						sctp_log_nagle_event(stcb, SCTP_NAGLE_SKIPPED);
14072				}
14073				SCTP_STAT_INCR(sctps_naglesent);
14074				nagle_applies = 0;
14075			}
14076			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
14077
14078				sctp_misc_ints(SCTP_CWNDLOG_PRESEND, queue_only_for_init, queue_only,
14079					       nagle_applies, un_sent);
14080				sctp_misc_ints(SCTP_CWNDLOG_PRESEND, stcb->asoc.total_output_queue_size,
14081					       stcb->asoc.total_flight,
14082					       stcb->asoc.chunks_on_out_queue, stcb->asoc.total_flight_count);
14083			}
14084			if (queue_only_for_init)
14085				queue_only_for_init = 0;
14086			if ((queue_only == 0) && (nagle_applies == 0)) {
14087				/*-
14088				 * need to start chunk output
14089				 * before blocking.. note that if
14090				 * a lock is already applied, then
14091				 * the input via the net is happening
14092				 * and I don't need to start output :-D
14093				 */
14094				if (hold_tcblock == 0) {
14095					if (SCTP_TCB_TRYLOCK(stcb)) {
14096						hold_tcblock = 1;
14097						sctp_chunk_output(inp,
14098								  stcb,
14099								  SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
14100					}
14101				} else {
14102					sctp_chunk_output(inp,
14103							  stcb,
14104							  SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
14105				}
14106				if (hold_tcblock == 1) {
14107					SCTP_TCB_UNLOCK(stcb);
14108					hold_tcblock = 0;
14109				}
14110			}
14111			SOCKBUF_LOCK(&so->so_snd);
14112			/*-
14113			 * This is a bit strange, but I think it will
14114			 * work. The total_output_queue_size is locked and
14115			 * protected by the TCB_LOCK, which we just released.
14116			 * There is a race that can occur between releasing it
14117			 * above, and me getting the socket lock, where sacks
14118			 * come in but we have not put the SB_WAIT on the
14119			 * so_snd buffer to get the wakeup. After the LOCK
14120			 * is applied the sack_processing will also need to
14121			 * LOCK the so->so_snd to do the actual sowwakeup(). So
14122			 * once we have the socket buffer lock if we recheck the
14123			 * size we KNOW we will get to sleep safely with the
14124			 * wakeup flag in place.
14125			 */
14126			if (SCTP_SB_LIMIT_SND(so) <= (stcb->asoc.total_output_queue_size +
14127						      min(SCTP_BASE_SYSCTL(sctp_add_more_threshold), SCTP_SB_LIMIT_SND(so)))) {
14128				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
14129#if defined(__APPLE__)
14130#if defined(APPLE_LEOPARD)
14131					sctp_log_block(SCTP_BLOCK_LOG_INTO_BLK,
14132						       asoc, uio->uio_resid);
14133#else
14134					sctp_log_block(SCTP_BLOCK_LOG_INTO_BLK,
14135						       asoc, uio_resid(uio));
14136#endif
14137#else
14138					sctp_log_block(SCTP_BLOCK_LOG_INTO_BLK,
14139						       asoc, uio->uio_resid);
14140#endif
14141				}
14142				be.error = 0;
14143#if !defined(__Panda__) && !defined(__Windows__)
14144				stcb->block_entry = &be;
14145#endif
14146#if defined(__APPLE__)
14147				sbunlock(&so->so_snd, 1);
14148#endif
14149				error = sbwait(&so->so_snd);
14150				stcb->block_entry = NULL;
14151
14152				if (error || so->so_error || be.error) {
14153					if (error == 0) {
14154						if (so->so_error)
14155							error = so->so_error;
14156						if (be.error) {
14157							error = be.error;
14158						}
14159					}
14160					SOCKBUF_UNLOCK(&so->so_snd);
14161					goto out_unlocked;
14162				}
14163
14164#if defined(__APPLE__)
14165				error = sblock(&so->so_snd, SBLOCKWAIT(flags));
14166#endif
14167				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
14168					sctp_log_block(SCTP_BLOCK_LOG_OUTOF_BLK,
14169						       asoc, stcb->asoc.total_output_queue_size);
14170				}
14171			}
14172			SOCKBUF_UNLOCK(&so->so_snd);
14173			if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
14174				goto out_unlocked;
14175			}
14176		}
14177		SCTP_TCB_SEND_LOCK(stcb);
14178		if (sp) {
14179			if (sp->msg_is_complete == 0) {
14180				strm->last_msg_incomplete = 1;
14181				asoc->stream_locked = 1;
14182				asoc->stream_locked_on  = srcv->sinfo_stream;
14183			} else {
14184				sp->sender_all_done = 1;
14185				strm->last_msg_incomplete = 0;
14186				asoc->stream_locked = 0;
14187			}
14188		} else {
14189			SCTP_PRINTF("Huh no sp TSNH?\n");
14190			strm->last_msg_incomplete = 0;
14191			asoc->stream_locked = 0;
14192		}
14193		SCTP_TCB_SEND_UNLOCK(stcb);
14194#if defined(__APPLE__)
14195#if defined(APPLE_LEOPARD)
14196		if (uio->uio_resid == 0) {
14197#else
14198		if (uio_resid(uio) == 0) {
14199#endif
14200#else
14201		if (uio->uio_resid == 0) {
14202#endif
14203			got_all_of_the_send = 1;
14204		}
14205	} else {
14206		/* We send in a 0, since we do NOT have any locks */
14207		error = sctp_msg_append(stcb, net, top, srcv, 0);
14208		top = NULL;
14209		if (srcv->sinfo_flags & SCTP_EOF) {
14210			/*
14211			 * This should only happen for Panda for the mbuf
14212			 * send case, which does NOT yet support EEOR mode.
14213			 * Thus, we can just set this flag to do the proper
14214			 * EOF handling.
14215			 */
14216			got_all_of_the_send = 1;
14217		}
14218	}
14219	if (error) {
14220		goto out;
14221	}
14222dataless_eof:
14223	/* EOF thing ? */
14224	if ((srcv->sinfo_flags & SCTP_EOF) &&
14225	    (got_all_of_the_send == 1)) {
14226		int cnt;
14227		SCTP_STAT_INCR(sctps_sends_with_eof);
14228		error = 0;
14229		if (hold_tcblock == 0) {
14230			SCTP_TCB_LOCK(stcb);
14231			hold_tcblock = 1;
14232		}
14233		cnt = sctp_is_there_unsent_data(stcb, SCTP_SO_LOCKED);
14234		if (TAILQ_EMPTY(&asoc->send_queue) &&
14235		    TAILQ_EMPTY(&asoc->sent_queue) &&
14236		    (cnt == 0)) {
14237			if (asoc->locked_on_sending) {
14238				goto abort_anyway;
14239			}
14240			/* there is nothing queued to send, so I'm done... */
14241			if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
14242			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
14243			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
14244				struct sctp_nets *netp;
14245
14246				/* only send SHUTDOWN the first time through */
14247				if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
14248					SCTP_STAT_DECR_GAUGE32(sctps_currestab);
14249				}
14250				SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
14251				SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
14252				sctp_stop_timers_for_shutdown(stcb);
14253				if (stcb->asoc.alternate) {
14254					netp = stcb->asoc.alternate;
14255				} else {
14256					netp = stcb->asoc.primary_destination;
14257				}
14258				sctp_send_shutdown(stcb, netp);
14259				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
14260				                 netp);
14261				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
14262				                 asoc->primary_destination);
14263			}
14264		} else {
14265			/*-
14266			 * we still got (or just got) data to send, so set
14267			 * SHUTDOWN_PENDING
14268			 */
14269			/*-
14270			 * XXX sockets draft says that SCTP_EOF should be
14271			 * sent with no data.  currently, we will allow user
14272			 * data to be sent first and move to
14273			 * SHUTDOWN-PENDING
14274			 */
14275			if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
14276			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
14277			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
14278				if (hold_tcblock == 0) {
14279					SCTP_TCB_LOCK(stcb);
14280					hold_tcblock = 1;
14281				}
14282				if (asoc->locked_on_sending) {
14283					/* Locked to send out the data */
14284					struct sctp_stream_queue_pending *sp;
14285					sp = TAILQ_LAST(&asoc->locked_on_sending->outqueue, sctp_streamhead);
14286					if (sp) {
14287						if ((sp->length == 0) && (sp->msg_is_complete == 0))
14288							asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
14289					}
14290				}
14291				asoc->state |= SCTP_STATE_SHUTDOWN_PENDING;
14292				if (TAILQ_EMPTY(&asoc->send_queue) &&
14293				    TAILQ_EMPTY(&asoc->sent_queue) &&
14294				    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
14295				abort_anyway:
14296					if (free_cnt_applied) {
14297						atomic_add_int(&stcb->asoc.refcnt, -1);
14298						free_cnt_applied = 0;
14299					}
14300					sctp_abort_an_association(stcb->sctp_ep, stcb,
14301					                          NULL, SCTP_SO_LOCKED);
14302					/* now relock the stcb so everything is sane */
14303					hold_tcblock = 0;
14304					stcb = NULL;
14305					goto out;
14306				}
14307				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
14308				                 asoc->primary_destination);
14309				sctp_feature_off(inp, SCTP_PCB_FLAGS_NODELAY);
14310			}
14311		}
14312	}
14313skip_out_eof:
14314	if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
14315		some_on_control = 1;
14316	}
14317	if (queue_only_for_init) {
14318		if (hold_tcblock == 0) {
14319			SCTP_TCB_LOCK(stcb);
14320			hold_tcblock = 1;
14321		}
14322		if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) {
14323			/* a collision took us forward? */
14324			queue_only = 0;
14325		} else {
14326			sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
14327			SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_WAIT);
14328			queue_only = 1;
14329		}
14330	}
14331	if ((net->flight_size > net->cwnd) &&
14332	    (stcb->asoc.sctp_cmt_on_off == 0)) {
14333		SCTP_STAT_INCR(sctps_send_cwnd_avoid);
14334		queue_only = 1;
14335	} else if (asoc->ifp_had_enobuf) {
14336		SCTP_STAT_INCR(sctps_ifnomemqueued);
14337		if (net->flight_size > (2 * net->mtu)) {
14338			queue_only = 1;
14339		}
14340		asoc->ifp_had_enobuf = 0;
14341	}
14342	un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
14343	           (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
14344	if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
14345	    (stcb->asoc.total_flight > 0) &&
14346	    (stcb->asoc.stream_queue_cnt < SCTP_MAX_DATA_BUNDLING) &&
14347	    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
14348		/*-
14349		 * Ok, Nagle is set on and we have data outstanding.
14350		 * Don't send anything and let SACKs drive out the
14351		 * data unless wen have a "full" segment to send.
14352		 */
14353		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
14354			sctp_log_nagle_event(stcb, SCTP_NAGLE_APPLIED);
14355		}
14356		SCTP_STAT_INCR(sctps_naglequeued);
14357		nagle_applies = 1;
14358	} else {
14359		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
14360			if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY))
14361				sctp_log_nagle_event(stcb, SCTP_NAGLE_SKIPPED);
14362		}
14363		SCTP_STAT_INCR(sctps_naglesent);
14364		nagle_applies = 0;
14365	}
14366	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
14367		sctp_misc_ints(SCTP_CWNDLOG_PRESEND, queue_only_for_init, queue_only,
14368		               nagle_applies, un_sent);
14369		sctp_misc_ints(SCTP_CWNDLOG_PRESEND, stcb->asoc.total_output_queue_size,
14370		               stcb->asoc.total_flight,
14371		               stcb->asoc.chunks_on_out_queue, stcb->asoc.total_flight_count);
14372	}
14373	if ((queue_only == 0) && (nagle_applies == 0) && (stcb->asoc.peers_rwnd && un_sent)) {
14374		/* we can attempt to send too. */
14375		if (hold_tcblock == 0) {
14376			/* If there is activity recv'ing sacks no need to send */
14377			if (SCTP_TCB_TRYLOCK(stcb)) {
14378				sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
14379				hold_tcblock = 1;
14380			}
14381		} else {
14382			sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
14383		}
14384	} else if ((queue_only == 0) &&
14385	           (stcb->asoc.peers_rwnd == 0) &&
14386	           (stcb->asoc.total_flight == 0)) {
14387		/* We get to have a probe outstanding */
14388		if (hold_tcblock == 0) {
14389			hold_tcblock = 1;
14390			SCTP_TCB_LOCK(stcb);
14391		}
14392		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
14393	} else if (some_on_control) {
14394		int num_out, reason, frag_point;
14395
14396		/* Here we do control only */
14397		if (hold_tcblock == 0) {
14398			hold_tcblock = 1;
14399			SCTP_TCB_LOCK(stcb);
14400		}
14401		frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
14402		(void)sctp_med_chunk_output(inp, stcb, &stcb->asoc, &num_out,
14403		                            &reason, 1, 1, &now, &now_filled, frag_point, SCTP_SO_LOCKED);
14404	}
14405	SCTPDBG(SCTP_DEBUG_OUTPUT1, "USR Send complete qo:%d prw:%d unsent:%d tf:%d cooq:%d toqs:%d err:%d\n",
14406	        queue_only, stcb->asoc.peers_rwnd, un_sent,
14407		stcb->asoc.total_flight, stcb->asoc.chunks_on_out_queue,
14408	        stcb->asoc.total_output_queue_size, error);
14409
14410out:
14411#if defined(__APPLE__)
14412	sbunlock(&so->so_snd, 1);
14413#endif
14414out_unlocked:
14415
14416	if (local_soresv && stcb) {
14417		atomic_subtract_int(&stcb->asoc.sb_send_resv, sndlen);
14418	}
14419	if (create_lock_applied) {
14420		SCTP_ASOC_CREATE_UNLOCK(inp);
14421	}
14422	if ((stcb) && hold_tcblock) {
14423		SCTP_TCB_UNLOCK(stcb);
14424	}
14425	if (stcb && free_cnt_applied) {
14426		atomic_add_int(&stcb->asoc.refcnt, -1);
14427	}
14428#ifdef INVARIANTS
14429#if !defined(__APPLE__)
14430	if (stcb) {
14431		if (mtx_owned(&stcb->tcb_mtx)) {
14432			panic("Leaving with tcb mtx owned?");
14433		}
14434		if (mtx_owned(&stcb->tcb_send_mtx)) {
14435			panic("Leaving with tcb send mtx owned?");
14436		}
14437	}
14438#endif
14439#endif
14440#ifdef __Panda__
14441	/*
14442	 * Handle the EAGAIN/ENOMEM cases to reattach the pak header
14443	 * to particle when pak is passed in, so that caller
14444	 * can try again with this pak
14445	 *
14446	 * NOTE: For other cases, including success case,
14447	 * we simply want to return the header back to free
14448	 * pool
14449	 */
14450	if (top) {
14451		if ((error == EAGAIN) || (error == ENOMEM)) {
14452			SCTP_ATTACH_CHAIN(i_pak, top, sndlen);
14453			top = NULL;
14454		} else {
14455			(void)SCTP_RELEASE_HEADER(i_pak);
14456		}
14457	} else {
14458		/* This is to handle cases when top has
14459		 * been reset to NULL but pak might not
14460		 * be freed
14461		 */
14462		if (i_pak) {
14463			(void)SCTP_RELEASE_HEADER(i_pak);
14464		}
14465	}
14466#endif
14467#ifdef INVARIANTS
14468	if (inp) {
14469		sctp_validate_no_locks(inp);
14470	} else {
14471		SCTP_PRINTF("Warning - inp is NULL so cant validate locks\n");
14472	}
14473#endif
14474	if (top) {
14475		sctp_m_freem(top);
14476	}
14477	if (control) {
14478		sctp_m_freem(control);
14479	}
14480	return (error);
14481}
14482
14483
14484/*
14485 * generate an AUTHentication chunk, if required
14486 */
14487struct mbuf *
14488sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end,
14489    struct sctp_auth_chunk **auth_ret, uint32_t * offset,
14490    struct sctp_tcb *stcb, uint8_t chunk)
14491{
14492	struct mbuf *m_auth;
14493	struct sctp_auth_chunk *auth;
14494	int chunk_len;
14495	struct mbuf *cn;
14496
14497	if ((m_end == NULL) || (auth_ret == NULL) || (offset == NULL) ||
14498	    (stcb == NULL))
14499		return (m);
14500
14501	if (stcb->asoc.auth_supported == 0) {
14502		return (m);
14503	}
14504	/* does the requested chunk require auth? */
14505	if (!sctp_auth_is_required_chunk(chunk, stcb->asoc.peer_auth_chunks)) {
14506		return (m);
14507	}
14508	m_auth = sctp_get_mbuf_for_msg(sizeof(*auth), 0, M_NOWAIT, 1, MT_HEADER);
14509	if (m_auth == NULL) {
14510		/* no mbuf's */
14511		return (m);
14512	}
14513	/* reserve some space if this will be the first mbuf */
14514	if (m == NULL)
14515		SCTP_BUF_RESV_UF(m_auth, SCTP_MIN_OVERHEAD);
14516	/* fill in the AUTH chunk details */
14517	auth = mtod(m_auth, struct sctp_auth_chunk *);
14518	bzero(auth, sizeof(*auth));
14519	auth->ch.chunk_type = SCTP_AUTHENTICATION;
14520	auth->ch.chunk_flags = 0;
14521	chunk_len = sizeof(*auth) +
14522	    sctp_get_hmac_digest_len(stcb->asoc.peer_hmac_id);
14523	auth->ch.chunk_length = htons(chunk_len);
14524	auth->hmac_id = htons(stcb->asoc.peer_hmac_id);
14525	/* key id and hmac digest will be computed and filled in upon send */
14526
14527	/* save the offset where the auth was inserted into the chain */
14528	*offset = 0;
14529	for (cn = m; cn; cn = SCTP_BUF_NEXT(cn)) {
14530		*offset += SCTP_BUF_LEN(cn);
14531	}
14532
14533	/* update length and return pointer to the auth chunk */
14534	SCTP_BUF_LEN(m_auth) = chunk_len;
14535	m = sctp_copy_mbufchain(m_auth, m, m_end, 1, chunk_len, 0);
14536	if (auth_ret != NULL)
14537		*auth_ret = auth;
14538
14539	return (m);
14540}
14541
14542#if defined(__FreeBSD__)  || defined(__APPLE__)
14543#ifdef INET6
14544int
14545sctp_v6src_match_nexthop(struct sockaddr_in6 *src6, sctp_route_t *ro)
14546{
14547	struct nd_prefix *pfx = NULL;
14548	struct nd_pfxrouter *pfxrtr = NULL;
14549	struct sockaddr_in6 gw6;
14550
14551	if (ro == NULL || ro->ro_rt == NULL || src6->sin6_family != AF_INET6)
14552		return (0);
14553
14554	/* get prefix entry of address */
14555	LIST_FOREACH(pfx, &MODULE_GLOBAL(nd_prefix), ndpr_entry) {
14556		if (pfx->ndpr_stateflags & NDPRF_DETACHED)
14557			continue;
14558		if (IN6_ARE_MASKED_ADDR_EQUAL(&pfx->ndpr_prefix.sin6_addr,
14559		    &src6->sin6_addr, &pfx->ndpr_mask))
14560			break;
14561	}
14562	/* no prefix entry in the prefix list */
14563	if (pfx == NULL) {
14564		SCTPDBG(SCTP_DEBUG_OUTPUT2, "No prefix entry for ");
14565		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)src6);
14566		return (0);
14567	}
14568
14569	SCTPDBG(SCTP_DEBUG_OUTPUT2, "v6src_match_nexthop(), Prefix entry is ");
14570	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)src6);
14571
14572	/* search installed gateway from prefix entry */
14573	LIST_FOREACH(pfxrtr, &pfx->ndpr_advrtrs, pfr_entry) {
14574		memset(&gw6, 0, sizeof(struct sockaddr_in6));
14575		gw6.sin6_family = AF_INET6;
14576#ifdef HAVE_SIN6_LEN
14577		gw6.sin6_len = sizeof(struct sockaddr_in6);
14578#endif
14579		memcpy(&gw6.sin6_addr, &pfxrtr->router->rtaddr,
14580		    sizeof(struct in6_addr));
14581		SCTPDBG(SCTP_DEBUG_OUTPUT2, "prefix router is ");
14582		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)&gw6);
14583		SCTPDBG(SCTP_DEBUG_OUTPUT2, "installed router is ");
14584		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, ro->ro_rt->rt_gateway);
14585		if (sctp_cmpaddr((struct sockaddr *)&gw6,
14586				ro->ro_rt->rt_gateway)) {
14587			SCTPDBG(SCTP_DEBUG_OUTPUT2, "pfxrouter is installed\n");
14588			return (1);
14589		}
14590	}
14591	SCTPDBG(SCTP_DEBUG_OUTPUT2, "pfxrouter is not installed\n");
14592	return (0);
14593}
14594#endif
14595
14596int
14597sctp_v4src_match_nexthop(struct sctp_ifa *sifa, sctp_route_t *ro)
14598{
14599#ifdef INET
14600	struct sockaddr_in *sin, *mask;
14601	struct ifaddr *ifa;
14602	struct in_addr srcnetaddr, gwnetaddr;
14603
14604	if (ro == NULL || ro->ro_rt == NULL ||
14605	    sifa->address.sa.sa_family != AF_INET) {
14606		return (0);
14607	}
14608	ifa = (struct ifaddr *)sifa->ifa;
14609	mask = (struct sockaddr_in *)(ifa->ifa_netmask);
14610	sin = &sifa->address.sin;
14611	srcnetaddr.s_addr = (sin->sin_addr.s_addr & mask->sin_addr.s_addr);
14612	SCTPDBG(SCTP_DEBUG_OUTPUT1, "match_nexthop4: src address is ");
14613	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
14614	SCTPDBG(SCTP_DEBUG_OUTPUT1, "network address is %x\n", srcnetaddr.s_addr);
14615
14616	sin = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
14617	gwnetaddr.s_addr = (sin->sin_addr.s_addr & mask->sin_addr.s_addr);
14618	SCTPDBG(SCTP_DEBUG_OUTPUT1, "match_nexthop4: nexthop is ");
14619	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, ro->ro_rt->rt_gateway);
14620	SCTPDBG(SCTP_DEBUG_OUTPUT1, "network address is %x\n", gwnetaddr.s_addr);
14621	if (srcnetaddr.s_addr == gwnetaddr.s_addr) {
14622		return (1);
14623	}
14624#endif
14625	return (0);
14626}
14627#elif defined(__Userspace__)
14628/* TODO __Userspace__ versions of sctp_vXsrc_match_nexthop(). */
14629int
14630sctp_v6src_match_nexthop(struct sockaddr_in6 *src6, sctp_route_t *ro)
14631{
14632    return (0);
14633}
14634int
14635sctp_v4src_match_nexthop(struct sctp_ifa *sifa, sctp_route_t *ro)
14636{
14637    return (0);
14638}
14639
14640#endif
14641